11241100x8000000000000000600960Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.829{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\AtomicTestHarnesses\1.3.0.0\Tests\Module.Tests.ps12021-01-19 19:07:54.829 11241100x8000000000000000600959Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.829{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\AtomicTestHarnesses\1.3.0.0\TestHarnesses\T1218_SignedBinaryProxyExecution\InvokeRemoteFXvGPUDisablementCommand.Tests.ps12021-01-19 19:07:54.829 11241100x8000000000000000600958Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.829{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\AtomicTestHarnesses\1.3.0.0\TestHarnesses\T1218_SignedBinaryProxyExecution\InvokeRemoteFXvGPUDisablementCommand.ps12021-01-19 19:07:54.829 11241100x8000000000000000600957Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.829{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\AtomicTestHarnesses\1.3.0.0\TestHarnesses\T1218.005_Mshta\InvokeHTMLApplication.Tests.ps12021-01-19 19:07:54.829 11241100x8000000000000000600956Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.829{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\AtomicTestHarnesses\1.3.0.0\TestHarnesses\T1218.005_Mshta\InvokeHTMLApplication.ps12021-01-19 19:07:54.829 11241100x8000000000000000600955Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.829{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\AtomicTestHarnesses\1.3.0.0\TestHarnesses\T1218.001_CompiledHTMLFile\InvokeCompiledHTMLFile.Tests.ps12021-01-19 19:07:54.829 11241100x8000000000000000600954Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.829{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\AtomicTestHarnesses\1.3.0.0\TestHarnesses\T1218.001_CompiledHTMLFile\InvokeCompiledHTMLFile.ps12021-01-19 19:07:54.829 11241100x8000000000000000600953Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.829{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\AtomicTestHarnesses\1.3.0.0\TestHarnesses\T1134.004_ParentPIDSpoofing\PPIDSpoof.Tests.ps12021-01-19 19:07:54.829 11241100x8000000000000000600952Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.829{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\AtomicTestHarnesses\1.3.0.0\TestHarnesses\T1134.004_ParentPIDSpoofing\PPIDSpoof.ps12021-01-19 19:07:54.829 11241100x8000000000000000600951Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.829{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\AtomicTestHarnesses\1.3.0.0\TestHarnesses\T1059.001_PowerShell\OutPowerShellCommandLineParameter.Tests.ps12021-01-19 19:07:54.829 11241100x8000000000000000600950Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.813{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\AtomicTestHarnesses\1.3.0.0\TestHarnesses\T1059.001_PowerShell\OutPowerShellCommandLineParameter.ps12021-01-19 19:07:54.813 11241100x8000000000000000600949Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.813{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\AtomicTestHarnesses\1.3.0.0\TestHarnesses\T1055_ProcessInjection\ProcessHerpderp.Tests.ps12021-01-19 19:07:54.813 11241100x8000000000000000600948Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.813{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\AtomicTestHarnesses\1.3.0.0\TestHarnesses\T1055_ProcessInjection\ProcessHerpderp.ps12021-01-19 19:07:54.813 11241100x8000000000000000600947Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.547{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1066329742\AtomicTestHarnesses\Tests\Module.Tests.ps12021-01-19 19:07:54.547 11241100x8000000000000000600946Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.547{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1066329742\AtomicTestHarnesses\TestHarnesses\T1218_SignedBinaryProxyExecution\InvokeRemoteFXvGPUDisablementCommand.Tests.ps12021-01-19 19:07:54.532 11241100x8000000000000000600945Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.532{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1066329742\AtomicTestHarnesses\TestHarnesses\T1218_SignedBinaryProxyExecution\InvokeRemoteFXvGPUDisablementCommand.ps12021-01-19 19:07:54.532 11241100x8000000000000000600944Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.532{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1066329742\AtomicTestHarnesses\TestHarnesses\T1218.005_Mshta\InvokeHTMLApplication.Tests.ps12021-01-19 19:07:54.532 11241100x8000000000000000600943Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.532{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1066329742\AtomicTestHarnesses\TestHarnesses\T1218.005_Mshta\InvokeHTMLApplication.ps12021-01-19 19:07:54.532 11241100x8000000000000000600942Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.532{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1066329742\AtomicTestHarnesses\TestHarnesses\T1218.001_CompiledHTMLFile\InvokeCompiledHTMLFile.Tests.ps12021-01-19 19:07:54.532 11241100x8000000000000000600941Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.532{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1066329742\AtomicTestHarnesses\TestHarnesses\T1218.001_CompiledHTMLFile\InvokeCompiledHTMLFile.ps12021-01-19 19:07:54.532 11241100x8000000000000000600940Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.532{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1066329742\AtomicTestHarnesses\TestHarnesses\T1134.004_ParentPIDSpoofing\PPIDSpoof.Tests.ps12021-01-19 19:07:54.532 11241100x8000000000000000600939Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.532{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1066329742\AtomicTestHarnesses\TestHarnesses\T1134.004_ParentPIDSpoofing\PPIDSpoof.ps12021-01-19 19:07:54.532 11241100x8000000000000000600938Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.532{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1066329742\AtomicTestHarnesses\TestHarnesses\T1059.001_PowerShell\OutPowerShellCommandLineParameter.Tests.ps12021-01-19 19:07:54.532 11241100x8000000000000000600937Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:54.532{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1066329742\AtomicTestHarnesses\TestHarnesses\T1059.001_PowerShell\OutPowerShellCommandLineParameter.ps12021-01-19 19:07:54.532 354300x8000000000000000600963Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:56.229{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-690.attackrange.local59122-false72.21.81.200-443https 354300x8000000000000000600962Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:55.754{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-690.attackrange.local59121-false168.61.186.235-443https 354300x8000000000000000600961Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:07:55.367{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-690.attackrange.local59120-false168.61.186.235-443https 10341000x8000000000000000600966Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:02.172{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1500-00000000A301}1500C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600965Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:02.172{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1500-00000000A301}1500C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600964Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:02.172{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1500-00000000A301}1500C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600988Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.843{5A2C5089-ED57-6001-0B00-00000000A301}8602232C:\Windows\system32\lsass.exe{5A2C5089-ED55-6001-0100-00000000A301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000600987Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.609{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600986Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.577{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600985Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.577{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600984Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.531{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600983Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.531{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600982Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.484{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600981Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.484{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600980Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.468{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2E29-6007-BBA1-00000000A301}6416C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600979Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.452{5A2C5089-2CFA-6007-61A1-00000000A301}41643176C:\Windows\system32\csrss.exe{5A2C5089-2E29-6007-BBA1-00000000A301}6416C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000600978Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.452{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600977Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.452{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600976Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.452{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600975Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.452{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600974Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.452{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-2E29-6007-BBA1-00000000A301}6416C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000600973Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.452{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2E29-6007-BBA1-00000000A301}6416C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000600972Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.452{5A2C5089-2E29-6007-BBA1-00000000A301}6416C:\Windows\System32\InstallAgent.exe10.0.14393.4169 (rs1_release.210107-1130)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=88C7DCDD735B31E4F5620E4B9F38C87F,SHA256=5EF1322B96F176C4EA4B8304CAF8B45E2E42C3188AA82ED1FD6196AFC04B7297,IMPHASH=EAB6EF3DE625719627DC808B5F0501FC{5A2C5089-ED59-6001-0C00-00000000A301}668C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000600971Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.390{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600970Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.390{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600969Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.390{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600968Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.390{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600967Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:25.390{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600990Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:26.046{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600989Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:26.046{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000600991Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:28.131{5A2C5089-ED5A-6001-1400-00000000A301}1324win-dc-690.attackrange.local0fe80::186e:2dc6:8617:bb04;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 10341000x8000000000000000600999Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:32.562{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2E30-6007-BCA1-00000000A301}6656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600998Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:32.530{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600997Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:32.530{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600996Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:32.530{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600995Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:32.530{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600994Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:32.530{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-2E30-6007-BCA1-00000000A301}6656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000600993Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:32.530{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2E30-6007-BCA1-00000000A301}6656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000600992Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:32.531{5A2C5089-2E30-6007-BCA1-00000000A301}6656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601016Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:33.811{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2E31-6007-BEA1-00000000A301}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601015Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:33.811{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601014Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:33.811{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601013Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:33.811{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601012Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:33.811{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601011Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:33.811{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-2E31-6007-BEA1-00000000A301}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601010Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:33.811{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2E31-6007-BEA1-00000000A301}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601009Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:33.814{5A2C5089-2E31-6007-BEA1-00000000A301}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601008Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:33.327{5A2C5089-2E31-6007-BDA1-00000000A301}32083944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601007Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:33.171{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2E31-6007-BDA1-00000000A301}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601006Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:33.171{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601005Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:33.171{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601004Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:33.171{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601003Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:33.171{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601002Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:33.171{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-2E31-6007-BDA1-00000000A301}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601001Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:33.171{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2E31-6007-BDA1-00000000A301}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601000Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:33.173{5A2C5089-2E31-6007-BDA1-00000000A301}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601034Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:34.608{5A2C5089-2E32-6007-C0A1-00000000A301}52965604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601033Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:34.468{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2E32-6007-C0A1-00000000A301}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601032Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:34.452{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601031Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:34.452{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601030Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:34.452{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601029Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:34.452{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601028Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:34.452{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-2E32-6007-C0A1-00000000A301}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601027Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:34.452{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2E32-6007-C0A1-00000000A301}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601026Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:34.455{5A2C5089-2E32-6007-C0A1-00000000A301}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601025Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:34.093{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-2E32-6007-BFA1-00000000A301}6824C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601024Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:34.093{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-2E32-6007-BFA1-00000000A301}6824C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601023Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:34.061{5A2C5089-ED5A-6001-1600-00000000A301}15365856C:\Windows\system32\svchost.exe{5A2C5089-2E32-6007-BFA1-00000000A301}6824C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601022Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:34.046{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2E32-6007-BFA1-00000000A301}6824C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601021Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:34.030{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-2E32-6007-BFA1-00000000A301}6824C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601020Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:34.030{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2E32-6007-BFA1-00000000A301}6824C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601019Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:34.015{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601018Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:34.015{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601017Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:34.015{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601051Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:35.921{5A2C5089-2E33-6007-C2A1-00000000A301}14205364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601050Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:35.749{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2E33-6007-C2A1-00000000A301}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601049Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:35.749{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601048Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:35.749{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601047Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:35.749{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601046Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:35.749{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601045Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:35.749{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-2E33-6007-C2A1-00000000A301}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601044Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:35.749{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2E33-6007-C2A1-00000000A301}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601043Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:35.750{5A2C5089-2E33-6007-C2A1-00000000A301}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601042Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:35.108{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2E33-6007-C1A1-00000000A301}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601041Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:35.108{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601040Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:35.108{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601039Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:35.108{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601038Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:35.108{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601037Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:35.108{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2E33-6007-C1A1-00000000A301}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601036Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:35.108{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2E33-6007-C1A1-00000000A301}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601035Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:35.110{5A2C5089-2E33-6007-C1A1-00000000A301}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000601061Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localT1042SetValue2021-01-19 19:08:36.733{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXEHKU\S-1-5-21-1839124484-365630122-3507043028-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 10341000x8000000000000000601060Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:36.577{5A2C5089-2E34-6007-C3A1-00000000A301}57766432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601059Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:36.421{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2E34-6007-C3A1-00000000A301}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601058Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:36.421{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601057Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:36.421{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601056Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:36.421{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601055Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:36.421{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2E34-6007-C3A1-00000000A301}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601054Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:36.421{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601053Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:36.421{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2E34-6007-C3A1-00000000A301}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601052Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:36.422{5A2C5089-2E34-6007-C3A1-00000000A301}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000601071Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:08:46.748{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000601070Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:08:46.748{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1485a8a5) 13241300x8000000000000000601069Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:08:46.748{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ee8e-0x2144a12d) 13241300x8000000000000000601068Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:08:46.748{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ee96-0x8309092d) 13241300x8000000000000000601067Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:08:46.748{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ee9e-0xe4cd712d) 13241300x8000000000000000601066Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:08:46.748{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000601065Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:08:46.748{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1485a8a5) 13241300x8000000000000000601064Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:08:46.748{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ee8e-0x21484666) 13241300x8000000000000000601063Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:08:46.748{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ee96-0x830cae66) 13241300x8000000000000000601062Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:08:46.748{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ee9e-0xe4d11666) 10341000x8000000000000000601089Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:47.905{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2E3F-6007-C5A1-00000000A301}6532C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601088Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:47.905{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601087Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:47.905{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601086Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:47.905{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601085Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:47.905{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601084Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:47.905{5A2C5089-2CFA-6007-61A1-00000000A301}41644392C:\Windows\system32\csrss.exe{5A2C5089-2E3F-6007-C5A1-00000000A301}6532C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601083Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:47.905{5A2C5089-2D23-6007-99A1-00000000A301}7526856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5A2C5089-2E3F-6007-C5A1-00000000A301}6532C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8ae32a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f84130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f83e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8a35466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f44997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7fa2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f8635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f782e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f84814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f843b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f84130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f83e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8a35466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f44997(wow64) 154100x8000000000000000601082Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:47.908{5A2C5089-2E3F-6007-C5A1-00000000A301}6532C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000601081Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:47.889{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2E3F-6007-C4A1-00000000A301}5336C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601080Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:47.889{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601079Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:47.889{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601078Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:47.889{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601077Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:47.889{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601076Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:47.889{5A2C5089-2CFA-6007-61A1-00000000A301}41644392C:\Windows\system32\csrss.exe{5A2C5089-2E3F-6007-C4A1-00000000A301}5336C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601075Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:47.889{5A2C5089-2D23-6007-99A1-00000000A301}7526856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5A2C5089-2E3F-6007-C4A1-00000000A301}5336C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8ae32a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f84130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f83e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8a35466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f44997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7fa2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f8635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f782e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f84814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f843b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f84130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f83e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8a35466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f44997(wow64) 154100x8000000000000000601074Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:47.891{5A2C5089-2E3F-6007-C4A1-00000000A301}5336C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x8000000000000000601073Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:47.827{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\T1127.001.txt2021-01-19 19:08:47.827 11241100x8000000000000000601072Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localEXE2021-01-19 19:08:47.827{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\notmsbuild.exe2021-01-19 19:08:47.827 10341000x8000000000000000601127Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.701{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2E40-6007-C9A1-00000000A301}916C:\Temp\notmsbuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601126Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.670{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-2E40-6007-C9A1-00000000A301}916C:\Temp\notmsbuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601125Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.670{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601124Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.670{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601123Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.670{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601122Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.670{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601121Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.670{5A2C5089-2E40-6007-C8A1-00000000A301}62287036C:\Windows\system32\cmd.exe{5A2C5089-2E40-6007-C9A1-00000000A301}916C:\Temp\notmsbuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601120Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.671{5A2C5089-2E40-6007-C9A1-00000000A301}916C:\Temp\notmsbuild.exe4.7.2053.0 built by: NET47REL1MSBuild.exeMicrosoft® .NET FrameworkMicrosoft CorporationMSBuild.exeC:\Temp\notmsbuild.exe c:\Temp\T1127.001.txt C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=25AF350BC14E22D38408E60A71DF6A73,SHA256=10332B7807D8397DAB04D8796C418B0074C1980CD88CBA0CFAFE9491D1C71AAF,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5A2C5089-2E40-6007-C8A1-00000000A301}6228C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Temp\notmsbuild.exe c:\Temp\T1127.001.txt" 10341000x8000000000000000601119Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.655{5A2C5089-2D23-6007-99A1-00000000A301}7526856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5A2C5089-2E40-6007-C8A1-00000000A301}6228C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF8851D7AA3) 10341000x8000000000000000601118Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.655{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2E40-6007-C8A1-00000000A301}6228C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601117Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.655{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601116Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.655{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601115Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.655{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601114Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.655{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601113Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.655{5A2C5089-2CFA-6007-61A1-00000000A301}41643176C:\Windows\system32\csrss.exe{5A2C5089-2E40-6007-C8A1-00000000A301}6228C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601112Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.655{5A2C5089-2D23-6007-99A1-00000000A301}7526856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5A2C5089-2E40-6007-C8A1-00000000A301}6228C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f83743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f835b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8005de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f7c19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8a35392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f44997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7fa2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f8635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f782e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7fb1471(wow64) 154100x8000000000000000601111Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.661{5A2C5089-2E40-6007-C8A1-00000000A301}6228C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Temp\notmsbuild.exe c:\Temp\T1127.001.txt" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x8000000000000000601110Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.655{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-01-19 19:08:48.655 11241100x8000000000000000601109Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.655{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-01-19 19:08:48.655 11241100x8000000000000000601108Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:08:48.248{5A2C5089-2E40-6007-C6A1-00000000A301}4732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\3f2cmohu\3f2cmohu.dll2021-01-19 19:08:48.045 10341000x8000000000000000601107Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.233{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2E40-6007-C7A1-00000000A301}6224C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601106Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.233{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601105Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.233{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601104Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.233{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-2E40-6007-C7A1-00000000A301}6224C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601103Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.233{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601102Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.233{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601101Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.233{5A2C5089-2E40-6007-C6A1-00000000A301}47325288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{5A2C5089-2E40-6007-C7A1-00000000A301}6224C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601100Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.238{5A2C5089-2E40-6007-C7A1-00000000A301}6224C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESAE71.tmp" "c:\Users\Administrator\AppData\Local\Temp\3f2cmohu\CSC56D2543BFB1E44D78DF4D8711E645F9.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{5A2C5089-2E40-6007-C6A1-00000000A301}4732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\3f2cmohu\3f2cmohu.cmdline" 10341000x8000000000000000601099Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.061{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2E40-6007-C6A1-00000000A301}4732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601098Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.061{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601097Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.061{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601096Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.061{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601095Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.061{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601094Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.061{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-2E40-6007-C6A1-00000000A301}4732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601093Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.061{5A2C5089-2D23-6007-99A1-00000000A301}7526856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5A2C5089-2E40-6007-C6A1-00000000A301}4732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\db79b1cc2b753cce16ad58d141a194ca\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\db79b1cc2b753cce16ad58d141a194ca\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7fa8357(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f84130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f83e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8a35466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f44997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7fa2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f8635c(wow64) 154100x8000000000000000601092Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.063{5A2C5089-2E40-6007-C6A1-00000000A301}4732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\3f2cmohu\3f2cmohu.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x8000000000000000601091Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:48.045{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\3f2cmohu\3f2cmohu.cmdline2021-01-19 19:08:48.045 11241100x8000000000000000601090Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:08:48.045{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\3f2cmohu\3f2cmohu.dll2021-01-19 19:08:48.045 11241100x8000000000000000601166Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:08:49.733{5A2C5089-2E41-6007-CCA1-00000000A301}1032C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\ybsa0uv3\ybsa0uv3.dll2021-01-19 19:08:49.655 10341000x8000000000000000601165Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.717{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2E41-6007-CDA1-00000000A301}6828C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601164Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.717{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601163Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.717{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601162Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.717{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601161Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.717{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601160Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.717{5A2C5089-2CFA-6007-61A1-00000000A301}41646216C:\Windows\system32\csrss.exe{5A2C5089-2E41-6007-CDA1-00000000A301}6828C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601159Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.717{5A2C5089-2E41-6007-CCA1-00000000A301}10324940C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe{5A2C5089-2E41-6007-CDA1-00000000A301}6828C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+11aa1(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+bcc5(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+be25(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+beb8(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+ab93(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+accc(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+a078(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+b380e|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+9fe23|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+74c1c|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+62696 154100x8000000000000000601158Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.727{5A2C5089-2E41-6007-CDA1-00000000A301}6828C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESB43E.tmp" "c:\Users\Administrator\AppData\Local\Temp\ybsa0uv3\CSCFE522C072AB742A89C2F4393E644D7A9.TMP"c:\Temp\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=C09985AE74F0882F208D75DE27770DFA,SHA256=E24570ABD130832732D0DD3EC4EFB6E3E1835064513C8B8A2B1AE0D530B04534,IMPHASH=49D51E5A9546CAB5B1356F947A3B973C{5A2C5089-2E41-6007-CCA1-00000000A301}1032C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\ybsa0uv3\ybsa0uv3.cmdline" 10341000x8000000000000000601157Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.655{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2E41-6007-CCA1-00000000A301}1032C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601156Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.655{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601155Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.655{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601154Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.655{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601153Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.655{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601152Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.655{5A2C5089-2CFA-6007-61A1-00000000A301}41646216C:\Windows\system32\csrss.exe{5A2C5089-2E41-6007-CCA1-00000000A301}1032C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601151Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.655{5A2C5089-2E40-6007-C9A1-00000000A301}9164376C:\Temp\notmsbuild.exe{5A2C5089-2E41-6007-CCA1-00000000A301}1032C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+22a51d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+19697d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+1964e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+196499(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+19547c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+614e95(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+614624(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+60c0d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\cfc53d6c124db195e5f6af02dd1912f6\Microsoft.Build.Tasks.v4.0.ni.dll+6f68888a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\cfc53d6c124db195e5f6af02dd1912f6\Microsoft.Build.Tasks.v4.0.ni.dll+6f68757b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\25c1e294abb735746f14e8a032b17a48\Microsoft.Build.ni.dll+177258(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\25c1e294abb735746f14e8a032b17a48\Microsoft.Build.ni.dll+176974(wow64) 154100x8000000000000000601150Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.661{5A2C5089-2E41-6007-CCA1-00000000A301}1032C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\ybsa0uv3\ybsa0uv3.cmdline"c:\Temp\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=EB70BF071EC54BF0C29408FFDB89E3BB,SHA256=3CAAD75ADEC05EC7D8568DA01300D06EAC7189BF1C9E42B169BA539A5D469E1C,IMPHASH=30324BFA092EB7BAA283AE5E9D2911B0{5A2C5089-2E40-6007-C9A1-00000000A301}916C:\Temp\notmsbuild.exeC:\Temp\notmsbuild.exe c:\Temp\T1127.001.txt 11241100x8000000000000000601149Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.655{5A2C5089-2E40-6007-C9A1-00000000A301}916C:\Temp\notmsbuild.exeC:\Users\Administrator\AppData\Local\Temp\ybsa0uv3\ybsa0uv3.cmdline2021-01-19 19:08:49.655 11241100x8000000000000000601148Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:08:49.655{5A2C5089-2E40-6007-C9A1-00000000A301}916C:\Temp\notmsbuild.exeC:\Users\Administrator\AppData\Local\Temp\ybsa0uv3\ybsa0uv3.dll2021-01-19 19:08:49.655 11241100x8000000000000000601147Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:08:49.623{5A2C5089-2E41-6007-CAA1-00000000A301}2864C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\emsqpwnt\emsqpwnt.dll2021-01-19 19:08:49.451 10341000x8000000000000000601146Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.608{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2E41-6007-CBA1-00000000A301}6752C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601145Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.608{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601144Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.608{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601143Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.608{5A2C5089-2CFA-6007-61A1-00000000A301}41643176C:\Windows\system32\csrss.exe{5A2C5089-2E41-6007-CBA1-00000000A301}6752C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601142Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.608{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601141Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.608{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601140Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.608{5A2C5089-2E41-6007-CAA1-00000000A301}28642888C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe{5A2C5089-2E41-6007-CBA1-00000000A301}6752C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+11aa1(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+bcc5(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+be25(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+beb8(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+ab93(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+accc(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+a078(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+b380e|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+9fe23|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+74c1c|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+62696 154100x8000000000000000601139Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.614{5A2C5089-2E41-6007-CBA1-00000000A301}6752C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESB3D0.tmp" "c:\Users\Administrator\AppData\Local\Temp\emsqpwnt\CSC4D79C94D7A184491878A5F57E27517C1.TMP"c:\Temp\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=C09985AE74F0882F208D75DE27770DFA,SHA256=E24570ABD130832732D0DD3EC4EFB6E3E1835064513C8B8A2B1AE0D530B04534,IMPHASH=49D51E5A9546CAB5B1356F947A3B973C{5A2C5089-2E41-6007-CAA1-00000000A301}2864C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\emsqpwnt\emsqpwnt.cmdline" 10341000x8000000000000000601138Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.498{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2E41-6007-CAA1-00000000A301}2864C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601137Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.483{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601136Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.483{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601135Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.483{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601134Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.483{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601133Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.483{5A2C5089-2CFA-6007-61A1-00000000A301}41643176C:\Windows\system32\csrss.exe{5A2C5089-2E41-6007-CAA1-00000000A301}2864C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601132Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.483{5A2C5089-2E40-6007-C9A1-00000000A301}9164376C:\Temp\notmsbuild.exe{5A2C5089-2E41-6007-CAA1-00000000A301}2864C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+22a51d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+19697d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+1964e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+196499(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+19547c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+614e95(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+614624(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+60c0d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\cfc53d6c124db195e5f6af02dd1912f6\Microsoft.Build.Tasks.v4.0.ni.dll+6f68888a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\cfc53d6c124db195e5f6af02dd1912f6\Microsoft.Build.Tasks.v4.0.ni.dll+6f68757b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\25c1e294abb735746f14e8a032b17a48\Microsoft.Build.ni.dll+177258(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\25c1e294abb735746f14e8a032b17a48\Microsoft.Build.ni.dll+176974(wow64) 154100x8000000000000000601131Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.463{5A2C5089-2E41-6007-CAA1-00000000A301}2864C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\emsqpwnt\emsqpwnt.cmdline"c:\Temp\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=EB70BF071EC54BF0C29408FFDB89E3BB,SHA256=3CAAD75ADEC05EC7D8568DA01300D06EAC7189BF1C9E42B169BA539A5D469E1C,IMPHASH=30324BFA092EB7BAA283AE5E9D2911B0{5A2C5089-2E40-6007-C9A1-00000000A301}916C:\Temp\notmsbuild.exeC:\Temp\notmsbuild.exe c:\Temp\T1127.001.txt 11241100x8000000000000000601130Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.451{5A2C5089-2E40-6007-C9A1-00000000A301}916C:\Temp\notmsbuild.exeC:\Users\Administrator\AppData\Local\Temp\emsqpwnt\emsqpwnt.cmdline2021-01-19 19:08:49.451 11241100x8000000000000000601129Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:08:49.451{5A2C5089-2E40-6007-C9A1-00000000A301}916C:\Temp\notmsbuild.exeC:\Users\Administrator\AppData\Local\Temp\emsqpwnt\emsqpwnt.dll2021-01-19 19:08:49.451 10341000x8000000000000000601128Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:49.342{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2E40-6007-C9A1-00000000A301}916C:\Temp\notmsbuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601202Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.967{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2E49-6007-D1A1-00000000A301}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601201Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.920{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2E49-6007-D1A1-00000000A301}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601200Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.904{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601199Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.904{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601198Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.904{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-2E49-6007-D1A1-00000000A301}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601197Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.904{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601196Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.904{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601195Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.904{5A2C5089-2E49-6007-D0A1-00000000A301}45285540C:\Windows\system32\cmd.exe{5A2C5089-2E49-6007-D1A1-00000000A301}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601194Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.911{5A2C5089-2E49-6007-D1A1-00000000A301}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4.7.2053.0 built by: NET47REL1MSBuild.exeMicrosoft® .NET FrameworkMicrosoft CorporationMSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\AtomicRedTeam\atomics\T1127.001\src\T1127.001.csproj C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=25AF350BC14E22D38408E60A71DF6A73,SHA256=10332B7807D8397DAB04D8796C418B0074C1980CD88CBA0CFAFE9491D1C71AAF,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5A2C5089-2E49-6007-D0A1-00000000A301}4528C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\AtomicRedTeam\atomics\T1127.001\src\T1127.001.csproj" 10341000x8000000000000000601193Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.904{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2E49-6007-D0A1-00000000A301}4528C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601192Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.889{5A2C5089-2D23-6007-99A1-00000000A301}7526856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5A2C5089-2E49-6007-D0A1-00000000A301}4528C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF8851D7AA3) 10341000x8000000000000000601191Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.889{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601190Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.889{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601189Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.889{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601188Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.889{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601187Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.889{5A2C5089-2CFA-6007-61A1-00000000A301}41646216C:\Windows\system32\csrss.exe{5A2C5089-2E49-6007-D0A1-00000000A301}4528C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601186Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.889{5A2C5089-2D23-6007-99A1-00000000A301}7526856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5A2C5089-2E49-6007-D0A1-00000000A301}4528C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f83743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f835b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8005de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f7c19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8a35392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f44997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7fa2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f8635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f782e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7fb1471(wow64) 154100x8000000000000000601185Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.901{5A2C5089-2E49-6007-D0A1-00000000A301}4528C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\AtomicRedTeam\atomics\T1127.001\src\T1127.001.csproj" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x8000000000000000601184Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.889{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-01-19 19:08:48.655 11241100x8000000000000000601183Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.889{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-01-19 19:08:48.655 10341000x8000000000000000601182Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.810{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2E49-6007-CFA1-00000000A301}5152C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601181Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.795{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601180Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.795{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601179Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.795{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601178Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.795{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601177Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.795{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-2E49-6007-CFA1-00000000A301}5152C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601176Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.795{5A2C5089-2D23-6007-99A1-00000000A301}7526856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5A2C5089-2E49-6007-CFA1-00000000A301}5152C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8ae32a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f84130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f83e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8a35466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f44997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7fa2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f8635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f782e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f84814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f843b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f84130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f83e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8a35466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f44997(wow64) 154100x8000000000000000601175Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.809{5A2C5089-2E49-6007-CFA1-00000000A301}5152C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000601174Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.795{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2E49-6007-CEA1-00000000A301}5860C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601173Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.795{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601172Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.795{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601171Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.795{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601170Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.795{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601169Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.795{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-2E49-6007-CEA1-00000000A301}5860C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601168Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.795{5A2C5089-2D23-6007-99A1-00000000A301}7526856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5A2C5089-2E49-6007-CEA1-00000000A301}5860C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8ae32a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f84130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f83e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8a35466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f44997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7fa2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f8635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f782e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f84814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f843b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f84130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f83e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8a35466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f44997(wow64) 154100x8000000000000000601167Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:57.797{5A2C5089-2E49-6007-CEA1-00000000A301}5860C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x8000000000000000601240Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:08:58.248{5A2C5089-2E4A-6007-D4A1-00000000A301}5948C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\zgyydnqs\zgyydnqs.dll2021-01-19 19:08:58.154 10341000x8000000000000000601239Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.232{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2E4A-6007-D5A1-00000000A301}6472C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601238Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.232{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601237Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.232{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601236Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.232{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601235Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.232{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601234Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.232{5A2C5089-2CFA-6007-61A1-00000000A301}41644392C:\Windows\system32\csrss.exe{5A2C5089-2E4A-6007-D5A1-00000000A301}6472C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601233Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.232{5A2C5089-2E4A-6007-D4A1-00000000A301}59487056C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe{5A2C5089-2E4A-6007-D5A1-00000000A301}6472C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+11aa1(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+bcc5(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+be25(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+beb8(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+ab93(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+accc(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+a078(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+b380e|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+9fe23|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+74c1c|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+62696 154100x8000000000000000601232Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.234{5A2C5089-2E4A-6007-D5A1-00000000A301}6472C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESD581.tmp" "c:\Users\Administrator\AppData\Local\Temp\zgyydnqs\CSC64C3BAFA937F44EA8DA3C9B46F6F857.TMP"C:\AtomicRedTeam\atomics\T1127.001\src\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=C09985AE74F0882F208D75DE27770DFA,SHA256=E24570ABD130832732D0DD3EC4EFB6E3E1835064513C8B8A2B1AE0D530B04534,IMPHASH=49D51E5A9546CAB5B1356F947A3B973C{5A2C5089-2E4A-6007-D4A1-00000000A301}5948C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\zgyydnqs\zgyydnqs.cmdline" 10341000x8000000000000000601231Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.170{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2E4A-6007-D4A1-00000000A301}5948C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601230Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.154{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601229Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.154{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601228Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.154{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601227Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.154{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601226Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.154{5A2C5089-2CFA-6007-61A1-00000000A301}41644392C:\Windows\system32\csrss.exe{5A2C5089-2E4A-6007-D4A1-00000000A301}5948C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601225Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.154{5A2C5089-2E49-6007-D1A1-00000000A301}37163224C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe{5A2C5089-2E4A-6007-D4A1-00000000A301}5948C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+22a51d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+19697d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+1964e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+196499(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+19547c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+614e95(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+614624(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+60c0d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\cfc53d6c124db195e5f6af02dd1912f6\Microsoft.Build.Tasks.v4.0.ni.dll+6f68888a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\cfc53d6c124db195e5f6af02dd1912f6\Microsoft.Build.Tasks.v4.0.ni.dll+6f68757b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\25c1e294abb735746f14e8a032b17a48\Microsoft.Build.ni.dll+177258(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\25c1e294abb735746f14e8a032b17a48\Microsoft.Build.ni.dll+176974(wow64) 154100x8000000000000000601224Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.168{5A2C5089-2E4A-6007-D4A1-00000000A301}5948C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\zgyydnqs\zgyydnqs.cmdline"C:\AtomicRedTeam\atomics\T1127.001\src\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=EB70BF071EC54BF0C29408FFDB89E3BB,SHA256=3CAAD75ADEC05EC7D8568DA01300D06EAC7189BF1C9E42B169BA539A5D469E1C,IMPHASH=30324BFA092EB7BAA283AE5E9D2911B0{5A2C5089-2E49-6007-D1A1-00000000A301}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\AtomicRedTeam\atomics\T1127.001\src\T1127.001.csproj 11241100x8000000000000000601223Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.154{5A2C5089-2E49-6007-D1A1-00000000A301}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\zgyydnqs\zgyydnqs.cmdline2021-01-19 19:08:58.154 11241100x8000000000000000601222Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:08:58.154{5A2C5089-2E49-6007-D1A1-00000000A301}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\zgyydnqs\zgyydnqs.dll2021-01-19 19:08:58.154 11241100x8000000000000000601221Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:08:58.139{5A2C5089-2E4A-6007-D2A1-00000000A301}6508C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\oeabn2q5\oeabn2q5.dll2021-01-19 19:08:58.060 10341000x8000000000000000601220Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.139{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2E4A-6007-D3A1-00000000A301}4432C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601219Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.123{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601218Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.123{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601217Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.123{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601216Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.123{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601215Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.123{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-2E4A-6007-D3A1-00000000A301}4432C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601214Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.123{5A2C5089-2E4A-6007-D2A1-00000000A301}65082844C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe{5A2C5089-2E4A-6007-D3A1-00000000A301}4432C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+11aa1(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+bcc5(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+be25(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+beb8(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+ab93(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+accc(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+a078(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+b380e|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+9fe23|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+74c1c|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+62696 154100x8000000000000000601213Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.137{5A2C5089-2E4A-6007-D3A1-00000000A301}4432C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESD514.tmp" "c:\Users\Administrator\AppData\Local\Temp\oeabn2q5\CSC5ED3CC32E01D43CD9919C53753A9A45F.TMP"C:\AtomicRedTeam\atomics\T1127.001\src\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=C09985AE74F0882F208D75DE27770DFA,SHA256=E24570ABD130832732D0DD3EC4EFB6E3E1835064513C8B8A2B1AE0D530B04534,IMPHASH=49D51E5A9546CAB5B1356F947A3B973C{5A2C5089-2E4A-6007-D2A1-00000000A301}6508C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\oeabn2q5\oeabn2q5.cmdline" 10341000x8000000000000000601212Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.060{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2E4A-6007-D2A1-00000000A301}6508C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601211Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.060{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601210Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.060{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601209Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.060{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601208Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.060{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601207Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.060{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-2E4A-6007-D2A1-00000000A301}6508C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601206Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.060{5A2C5089-2E49-6007-D1A1-00000000A301}37163224C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe{5A2C5089-2E4A-6007-D2A1-00000000A301}6508C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+22a51d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+19697d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+1964e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+196499(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+19547c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+614e95(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+614624(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+60c0d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\cfc53d6c124db195e5f6af02dd1912f6\Microsoft.Build.Tasks.v4.0.ni.dll+6f68888a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\cfc53d6c124db195e5f6af02dd1912f6\Microsoft.Build.Tasks.v4.0.ni.dll+6f68757b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\25c1e294abb735746f14e8a032b17a48\Microsoft.Build.ni.dll+177258(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\25c1e294abb735746f14e8a032b17a48\Microsoft.Build.ni.dll+176974(wow64) 154100x8000000000000000601205Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.068{5A2C5089-2E4A-6007-D2A1-00000000A301}6508C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\oeabn2q5\oeabn2q5.cmdline"C:\AtomicRedTeam\atomics\T1127.001\src\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=EB70BF071EC54BF0C29408FFDB89E3BB,SHA256=3CAAD75ADEC05EC7D8568DA01300D06EAC7189BF1C9E42B169BA539A5D469E1C,IMPHASH=30324BFA092EB7BAA283AE5E9D2911B0{5A2C5089-2E49-6007-D1A1-00000000A301}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\AtomicRedTeam\atomics\T1127.001\src\T1127.001.csproj 11241100x8000000000000000601204Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:08:58.060{5A2C5089-2E49-6007-D1A1-00000000A301}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\oeabn2q5\oeabn2q5.cmdline2021-01-19 19:08:58.060 11241100x8000000000000000601203Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:08:58.060{5A2C5089-2E49-6007-D1A1-00000000A301}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\oeabn2q5\oeabn2q5.dll2021-01-19 19:08:58.060 10341000x8000000000000000601242Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:23.481{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-2CFB-6007-65A1-00000000A301}2300C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601241Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:23.481{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-0F00-00000000A301}1132C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601247Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:25.966{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2E65-6007-D6A1-00000000A301}6664C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601246Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:25.966{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2E65-6007-D6A1-00000000A301}6664C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601245Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:25.950{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601244Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:25.950{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601243Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:25.950{5A2C5089-ED57-6001-0B00-00000000A301}8604284C:\Windows\system32\lsass.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601275Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.387{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601274Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.387{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601273Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.387{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601272Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.387{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-2E66-6007-D8A1-00000000A301}2208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601271Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.387{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-2E66-6007-D8A1-00000000A301}2208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601270Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.387{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601269Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.387{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601268Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.387{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601267Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.387{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601266Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.387{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2E66-6007-D8A1-00000000A301}2208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601265Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.387{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2E66-6007-D8A1-00000000A301}2208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601264Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.387{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2E66-6007-D8A1-00000000A301}2208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601263Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.387{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2E66-6007-D8A1-00000000A301}2208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601262Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.372{5A2C5089-ED5A-6001-1600-00000000A301}15363212C:\Windows\system32\svchost.exe{5A2C5089-2E66-6007-D8A1-00000000A301}2208C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601261Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.372{5A2C5089-ED5A-6001-1600-00000000A301}15361572C:\Windows\system32\svchost.exe{5A2C5089-2E66-6007-D8A1-00000000A301}2208C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601260Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.169{5A2C5089-2E66-6007-D8A1-00000000A301}22081068C:\Windows\system32\conhost.exe{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601259Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.153{5A2C5089-2CFA-6007-61A1-00000000A301}41644392C:\Windows\system32\csrss.exe{5A2C5089-2E66-6007-D8A1-00000000A301}2208C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601258Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.153{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601257Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.153{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601256Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.153{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601255Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.153{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601254Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.153{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601253Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.153{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601252Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.153{5A2C5089-2E32-6007-BFA1-00000000A301}68242552C:\Windows\system32\wbem\wmiprvse.exe{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4 154100x8000000000000000601251Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.151{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe4.7.2053.0 built by: NET47REL1MSBuild.exeMicrosoft® .NET FrameworkMicrosoft CorporationMSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Tasks\pshell.xmlC:\Windows\system32\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=E5AC74797478CD9649F201931EDE1166,SHA256=C50E0AA6EF6A1B6B775C8DC1D64E351610ABD7DDD08717C06A3A17C9D11A95DC,IMPHASH=00000000000000000000000000000000{5A2C5089-2E32-6007-BFA1-00000000A301}6824C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x8000000000000000601250Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localT10532021-01-19 19:09:26.137{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Tasks\pshell.xml2021-01-19 19:09:26.137 10341000x8000000000000000601249Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.059{5A2C5089-ED5A-6001-1600-00000000A301}15366416C:\Windows\system32\svchost.exe{5A2C5089-2E65-6007-D6A1-00000000A301}6664C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601248Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:26.028{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2E65-6007-D6A1-00000000A301}6664C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000601316Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.731{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_lrqwhnak.j5i.ps12021-01-19 19:09:27.731 11241100x8000000000000000601315Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:09:27.715{5A2C5089-2E67-6007-DBA1-00000000A301}6592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\rtdqldmp\rtdqldmp.dll2021-01-19 19:09:27.606 10341000x8000000000000000601314Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.700{5A2C5089-2E66-6007-D8A1-00000000A301}22081068C:\Windows\system32\conhost.exe{5A2C5089-2E67-6007-DCA1-00000000A301}5916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601313Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.700{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601312Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.700{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601311Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.700{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601310Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.700{5A2C5089-2CFA-6007-61A1-00000000A301}41644392C:\Windows\system32\csrss.exe{5A2C5089-2E67-6007-DCA1-00000000A301}5916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601309Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.700{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601308Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.700{5A2C5089-2E67-6007-DBA1-00000000A301}65925724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{5A2C5089-2E67-6007-DCA1-00000000A301}5916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601307Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.705{5A2C5089-2E67-6007-DCA1-00000000A301}5916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES489E.tmp" "c:\Users\Administrator\AppData\Local\Temp\rtdqldmp\CSCADD1D55694854714BD7C3EE859A5B3FF.TMP"C:\Windows\Tasks\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{5A2C5089-2E67-6007-DBA1-00000000A301}6592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\rtdqldmp\rtdqldmp.cmdline" 10341000x8000000000000000601306Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.622{5A2C5089-2E66-6007-D8A1-00000000A301}22081068C:\Windows\system32\conhost.exe{5A2C5089-2E67-6007-DBA1-00000000A301}6592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601305Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.622{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601304Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.622{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601303Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.622{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601302Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.622{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601301Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.622{5A2C5089-2CFA-6007-61A1-00000000A301}41644392C:\Windows\system32\csrss.exe{5A2C5089-2E67-6007-DBA1-00000000A301}6592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601300Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.622{5A2C5089-2E66-6007-D7A1-00000000A301}32086556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe{5A2C5089-2E67-6007-DBA1-00000000A301}6592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\15ac41cabc80ae8e07f1d041fdcb6d8f\Microsoft.Build.Tasks.v4.0.ni.dll+c15dabe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\15ac41cabc80ae8e07f1d041fdcb6d8f\Microsoft.Build.Tasks.v4.0.ni.dll+c15d949b|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23aa35|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23a32b|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23a200|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239772|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239128|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239010|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+4ec2df|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+4c3940|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+237b09 154100x8000000000000000601299Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.622{5A2C5089-2E67-6007-DBA1-00000000A301}6592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\rtdqldmp\rtdqldmp.cmdline"C:\Windows\Tasks\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Tasks\pshell.xml 11241100x8000000000000000601298Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.606{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\rtdqldmp\rtdqldmp.cmdline2021-01-19 19:09:27.606 11241100x8000000000000000601297Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:09:27.606{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\rtdqldmp\rtdqldmp.dll2021-01-19 19:09:27.606 354300x8000000000000000601296Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.549{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-690.attackrange.local59151-false151.101.52.133-443https 11241100x8000000000000000601295Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:09:27.294{5A2C5089-2E67-6007-D9A1-00000000A301}5292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\wc4xaprb\wc4xaprb.dll2021-01-19 19:09:27.169 10341000x8000000000000000601294Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.278{5A2C5089-2E66-6007-D8A1-00000000A301}22081068C:\Windows\system32\conhost.exe{5A2C5089-2E67-6007-DAA1-00000000A301}5304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601293Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.278{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601292Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.278{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601291Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.278{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601290Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.278{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-2E67-6007-DAA1-00000000A301}5304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601289Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.278{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601288Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.278{5A2C5089-2E67-6007-D9A1-00000000A301}52926600C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{5A2C5089-2E67-6007-DAA1-00000000A301}5304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601287Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.289{5A2C5089-2E67-6007-DAA1-00000000A301}5304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES46F8.tmp" "c:\Users\Administrator\AppData\Local\Temp\wc4xaprb\CSC4F5AB75182DE498793ADB8C2374567F6.TMP"C:\Windows\Tasks\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{5A2C5089-2E67-6007-D9A1-00000000A301}5292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\wc4xaprb\wc4xaprb.cmdline" 10341000x8000000000000000601286Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.200{5A2C5089-2E66-6007-D8A1-00000000A301}22081068C:\Windows\system32\conhost.exe{5A2C5089-2E67-6007-D9A1-00000000A301}5292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601285Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.200{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601284Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.200{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601283Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.200{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601282Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.200{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601281Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.200{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-2E67-6007-D9A1-00000000A301}5292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601280Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.200{5A2C5089-2E66-6007-D7A1-00000000A301}32086556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe{5A2C5089-2E67-6007-D9A1-00000000A301}5292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\15ac41cabc80ae8e07f1d041fdcb6d8f\Microsoft.Build.Tasks.v4.0.ni.dll+c15dabe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\15ac41cabc80ae8e07f1d041fdcb6d8f\Microsoft.Build.Tasks.v4.0.ni.dll+c15d949b|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23aa35|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23a32b|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23a200|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239772|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239128|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239010|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+4ec2df|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+4c3940|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+237b09 154100x8000000000000000601279Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.176{5A2C5089-2E67-6007-D9A1-00000000A301}5292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\wc4xaprb\wc4xaprb.cmdline"C:\Windows\Tasks\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Tasks\pshell.xml 11241100x8000000000000000601278Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.169{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\wc4xaprb\wc4xaprb.cmdline2021-01-19 19:09:27.169 11241100x8000000000000000601277Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:09:27.169{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\wc4xaprb\wc4xaprb.dll2021-01-19 19:09:27.169 10341000x8000000000000000601276Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:27.075{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601324Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:28.247{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601323Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:28.247{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601322Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:28.231{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601321Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:28.231{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601320Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:28.231{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601319Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:28.231{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601318Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:28.169{5A2C5089-ED57-6001-0B00-00000000A301}8604284C:\Windows\system32\lsass.exe{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601317Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:28.169{5A2C5089-ED57-6001-0B00-00000000A301}8604284C:\Windows\system32\lsass.exe{5A2C5089-2E66-6007-D7A1-00000000A301}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601361Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.418{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2E6C-6007-DDA1-00000000A301}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601360Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.418{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601359Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.418{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601358Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.418{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601357Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.418{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601356Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.418{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-2E6C-6007-DDA1-00000000A301}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601355Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.418{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2E6C-6007-DDA1-00000000A301}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601354Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.409{5A2C5089-2E6C-6007-DDA1-00000000A301}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601353Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601352Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601351Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601350Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601349Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601348Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601347Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601346Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601345Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601344Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601343Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601342Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601341Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601340Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601339Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601338Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601337Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601336Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601335Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601334Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601333Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601332Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601331Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601330Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601329Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601328Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601327Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601326Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601325Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:32.075{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601370Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:33.606{5A2C5089-2E6D-6007-DEA1-00000000A301}55965344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601369Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:33.434{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2E6D-6007-DEA1-00000000A301}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601368Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:33.434{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601367Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:33.434{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601366Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:33.434{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601365Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:33.434{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601364Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:33.434{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-2E6D-6007-DEA1-00000000A301}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601363Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:33.434{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2E6D-6007-DEA1-00000000A301}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601362Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:33.435{5A2C5089-2E6D-6007-DEA1-00000000A301}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601378Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:34.371{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2E6E-6007-DFA1-00000000A301}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601377Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:34.371{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601376Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:34.371{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601375Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:34.371{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601374Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:34.371{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601373Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:34.371{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2E6E-6007-DFA1-00000000A301}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601372Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:34.371{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2E6E-6007-DFA1-00000000A301}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601371Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:34.374{5A2C5089-2E6E-6007-DFA1-00000000A301}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601396Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:35.903{5A2C5089-2E6F-6007-E1A1-00000000A301}47326316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601395Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:35.746{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2E6F-6007-E1A1-00000000A301}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601394Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:35.731{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601393Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:35.731{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601392Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:35.731{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601391Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:35.731{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601390Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:35.731{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-2E6F-6007-E1A1-00000000A301}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601389Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:35.731{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2E6F-6007-E1A1-00000000A301}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601388Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:35.733{5A2C5089-2E6F-6007-E1A1-00000000A301}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601387Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:35.168{5A2C5089-2E6F-6007-E0A1-00000000A301}63566392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601386Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:35.028{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2E6F-6007-E0A1-00000000A301}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601385Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:35.012{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601384Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:35.012{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601383Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:35.012{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601382Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:35.012{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601381Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:35.012{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-2E6F-6007-E0A1-00000000A301}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601380Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:35.012{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2E6F-6007-E0A1-00000000A301}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601379Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:35.015{5A2C5089-2E6F-6007-E0A1-00000000A301}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601404Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:36.371{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2E70-6007-E2A1-00000000A301}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601403Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:36.371{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601402Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:36.371{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601401Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:36.371{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601400Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:36.371{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601399Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:36.371{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-2E70-6007-E2A1-00000000A301}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601398Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:36.371{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2E70-6007-E2A1-00000000A301}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601397Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:36.373{5A2C5089-2E70-6007-E2A1-00000000A301}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601413Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:37.168{5A2C5089-2E71-6007-E3A1-00000000A301}60366548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601412Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:37.012{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2E71-6007-E3A1-00000000A301}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601411Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:37.012{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601410Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:37.012{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601409Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:37.012{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601408Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:37.012{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601407Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:37.012{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-2E71-6007-E3A1-00000000A301}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601406Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:37.012{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2E71-6007-E3A1-00000000A301}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601405Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:37.014{5A2C5089-2E71-6007-E3A1-00000000A301}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601481Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.918{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601480Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.918{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000601479Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.793{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_qaesdeag.hep.ps12021-01-19 19:09:38.793 11241100x8000000000000000601478Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:09:38.777{5A2C5089-2E72-6007-E8A1-00000000A301}4748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\sp33jqhn\sp33jqhn.dll2021-01-19 19:09:38.684 10341000x8000000000000000601477Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.762{5A2C5089-2E72-6007-E5A1-00000000A301}70365356C:\Windows\system32\conhost.exe{5A2C5089-2E72-6007-E9A1-00000000A301}6508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601476Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.762{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601475Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.762{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601474Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.762{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601473Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.762{5A2C5089-2CFA-6007-61A1-00000000A301}41644392C:\Windows\system32\csrss.exe{5A2C5089-2E72-6007-E9A1-00000000A301}6508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601472Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.762{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601471Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.762{5A2C5089-2E72-6007-E8A1-00000000A301}47484888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{5A2C5089-2E72-6007-E9A1-00000000A301}6508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601470Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.771{5A2C5089-2E72-6007-E9A1-00000000A301}6508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES73D4.tmp" "c:\Users\Administrator\AppData\Local\Temp\sp33jqhn\CSC2A954B8172DC47AB861364E93519CB68.TMP"C:\Windows\Tasks\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{5A2C5089-2E72-6007-E8A1-00000000A301}4748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\sp33jqhn\sp33jqhn.cmdline" 10341000x8000000000000000601469Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.684{5A2C5089-2E72-6007-E5A1-00000000A301}70365356C:\Windows\system32\conhost.exe{5A2C5089-2E72-6007-E8A1-00000000A301}4748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601468Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.684{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601467Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.684{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601466Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.684{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601465Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.684{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601464Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.684{5A2C5089-2CFA-6007-61A1-00000000A301}41644392C:\Windows\system32\csrss.exe{5A2C5089-2E72-6007-E8A1-00000000A301}4748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601463Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.684{5A2C5089-2E72-6007-E4A1-00000000A301}9166372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe{5A2C5089-2E72-6007-E8A1-00000000A301}4748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\15ac41cabc80ae8e07f1d041fdcb6d8f\Microsoft.Build.Tasks.v4.0.ni.dll+c0f4ab7a|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\15ac41cabc80ae8e07f1d041fdcb6d8f\Microsoft.Build.Tasks.v4.0.ni.dll+c0f4942f|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23aa35|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23a32b|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23a200|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239772|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239128|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239010|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+4ec2df|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+4c3940|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+237b09 154100x8000000000000000601462Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.689{5A2C5089-2E72-6007-E8A1-00000000A301}4748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\sp33jqhn\sp33jqhn.cmdline"C:\Windows\Tasks\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Tasks\pshell.xml 11241100x8000000000000000601461Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.684{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\sp33jqhn\sp33jqhn.cmdline2021-01-19 19:09:38.684 11241100x8000000000000000601460Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:09:38.684{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\sp33jqhn\sp33jqhn.dll2021-01-19 19:09:38.684 11241100x8000000000000000601459Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:09:38.668{5A2C5089-2E72-6007-E6A1-00000000A301}4720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\oauk5thp\oauk5thp.dll2021-01-19 19:09:38.590 10341000x8000000000000000601458Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.652{5A2C5089-2E72-6007-E5A1-00000000A301}70365356C:\Windows\system32\conhost.exe{5A2C5089-2E72-6007-E7A1-00000000A301}5148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601457Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.652{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601456Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.652{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601455Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.652{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601454Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.652{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-2E72-6007-E7A1-00000000A301}5148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601453Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.652{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601452Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.652{5A2C5089-2E72-6007-E6A1-00000000A301}47205208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{5A2C5089-2E72-6007-E7A1-00000000A301}5148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601451Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.660{5A2C5089-2E72-6007-E7A1-00000000A301}5148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES7367.tmp" "c:\Users\Administrator\AppData\Local\Temp\oauk5thp\CSC73EB0E9DDCE3452FA6285C71B9B14439.TMP"C:\Windows\Tasks\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{5A2C5089-2E72-6007-E6A1-00000000A301}4720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\oauk5thp\oauk5thp.cmdline" 10341000x8000000000000000601450Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.590{5A2C5089-2E72-6007-E5A1-00000000A301}70365356C:\Windows\system32\conhost.exe{5A2C5089-2E72-6007-E6A1-00000000A301}4720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601449Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.590{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601448Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.590{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601447Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.590{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601446Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.590{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-2E72-6007-E6A1-00000000A301}4720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601445Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.590{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601444Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.590{5A2C5089-2E72-6007-E4A1-00000000A301}9166372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe{5A2C5089-2E72-6007-E6A1-00000000A301}4720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\15ac41cabc80ae8e07f1d041fdcb6d8f\Microsoft.Build.Tasks.v4.0.ni.dll+c0f4ab7a|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\15ac41cabc80ae8e07f1d041fdcb6d8f\Microsoft.Build.Tasks.v4.0.ni.dll+c0f4942f|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23aa35|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23a32b|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23a200|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239772|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239128|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239010|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+4ec2df|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+4c3940|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+237b09 154100x8000000000000000601443Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.602{5A2C5089-2E72-6007-E6A1-00000000A301}4720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\oauk5thp\oauk5thp.cmdline"C:\Windows\Tasks\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Tasks\pshell.xml 11241100x8000000000000000601442Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.590{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\oauk5thp\oauk5thp.cmdline2021-01-19 19:09:38.590 11241100x8000000000000000601441Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:09:38.590{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\oauk5thp\oauk5thp.dll2021-01-19 19:09:38.590 10341000x8000000000000000601440Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.559{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601439Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.512{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601438Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.496{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601437Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.496{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601436Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.496{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-2E72-6007-E5A1-00000000A301}7036C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601435Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.496{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-2E72-6007-E5A1-00000000A301}7036C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601434Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.496{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601433Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.496{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601432Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.496{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601431Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.496{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601430Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.496{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2E72-6007-E5A1-00000000A301}7036C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601429Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.496{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2E72-6007-E5A1-00000000A301}7036C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601428Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.496{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2E72-6007-E5A1-00000000A301}7036C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601427Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.496{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2E72-6007-E5A1-00000000A301}7036C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601426Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.481{5A2C5089-ED5A-6001-1600-00000000A301}15363704C:\Windows\system32\svchost.exe{5A2C5089-2E72-6007-E5A1-00000000A301}7036C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601425Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.481{5A2C5089-ED5A-6001-1600-00000000A301}15361572C:\Windows\system32\svchost.exe{5A2C5089-2E72-6007-E5A1-00000000A301}7036C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601424Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.481{5A2C5089-2E72-6007-E5A1-00000000A301}70365356C:\Windows\system32\conhost.exe{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601423Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.449{5A2C5089-2CFA-6007-61A1-00000000A301}41643176C:\Windows\system32\csrss.exe{5A2C5089-2E72-6007-E5A1-00000000A301}7036C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601422Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.449{5A2C5089-2CFA-6007-61A1-00000000A301}41646216C:\Windows\system32\csrss.exe{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601421Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.449{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601420Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.449{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601419Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.449{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601418Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.449{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601417Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.449{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601416Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.449{5A2C5089-2E32-6007-BFA1-00000000A301}68242552C:\Windows\system32\wbem\wmiprvse.exe{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4 154100x8000000000000000601415Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:38.456{5A2C5089-2E72-6007-E4A1-00000000A301}916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe4.7.2053.0 built by: NET47REL1MSBuild.exeMicrosoft® .NET FrameworkMicrosoft CorporationMSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Tasks\pshell.xmlC:\Windows\system32\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=E5AC74797478CD9649F201931EDE1166,SHA256=C50E0AA6EF6A1B6B775C8DC1D64E351610ABD7DDD08717C06A3A17C9D11A95DC,IMPHASH=00000000000000000000000000000000{5A2C5089-2E32-6007-BFA1-00000000A301}6824C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x8000000000000000601414Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localT10532021-01-19 19:09:38.434{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Tasks\pshell.xml2021-01-19 19:09:26.137 10341000x8000000000000000601487Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:39.199{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601486Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:39.199{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601485Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:39.199{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601484Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:39.199{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601483Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:39.199{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601482Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:39.199{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000601488Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:41.295{00000000-0000-0000-0000-000000000000}916www.example.com0::ffff:93.184.216.34;<unknown process> 10341000x8000000000000000601497Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:44.480{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-ED59-6001-0C00-00000000A301}668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601496Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:44.480{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601495Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:44.480{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1000-00000000A301}1168C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601494Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:44.480{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-2CFE-6007-78A1-00000000A301}3904C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601493Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:44.480{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-2CFC-6007-6EA1-00000000A301}1044C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601492Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:44.480{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1100-00000000A301}1176C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601491Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:44.480{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-ED59-6001-0C00-00000000A301}668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601490Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:44.480{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-2CFC-6007-6EA1-00000000A301}1044C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601489Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:09:44.480{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-2CFC-6007-6BA1-00000000A301}4660C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601499Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:00.308{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-2D1F-6007-98A1-00000000A301}2908C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601498Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:00.308{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-2D1F-6007-98A1-00000000A301}2908C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601501Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:04.745{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601500Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:04.745{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601504Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:29.307{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601503Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:29.307{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601502Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:29.307{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601506Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:32.135{5A2C5089-ED5A-6001-1600-00000000A301}15366592C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-3200-00000000A301}2764C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601505Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:32.135{5A2C5089-ED5A-6001-1600-00000000A301}15366592C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-3200-00000000A301}2764C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601515Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:34.838{5A2C5089-2EAA-6007-EAA1-00000000A301}17486968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601514Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:34.666{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2EAA-6007-EAA1-00000000A301}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601513Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:34.666{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601512Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:34.666{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601511Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:34.666{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601510Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:34.666{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601509Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:34.666{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-2EAA-6007-EAA1-00000000A301}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601508Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:34.666{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2EAA-6007-EAA1-00000000A301}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601507Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:34.667{5A2C5089-2EAA-6007-EAA1-00000000A301}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601532Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:35.978{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2EAB-6007-ECA1-00000000A301}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601531Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:35.978{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601530Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:35.978{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601529Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:35.978{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601528Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:35.978{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601527Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:35.978{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-2EAB-6007-ECA1-00000000A301}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601526Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:35.978{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2EAB-6007-ECA1-00000000A301}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601525Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:35.981{5A2C5089-2EAB-6007-ECA1-00000000A301}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601524Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:35.494{5A2C5089-2EAB-6007-EBA1-00000000A301}57366452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601523Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:35.338{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2EAB-6007-EBA1-00000000A301}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601522Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:35.338{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601521Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:35.338{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601520Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:35.338{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601519Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:35.338{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601518Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:35.338{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-2EAB-6007-EBA1-00000000A301}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601517Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:35.338{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2EAB-6007-EBA1-00000000A301}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601516Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:35.340{5A2C5089-2EAB-6007-EBA1-00000000A301}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601541Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:36.791{5A2C5089-2EAC-6007-EDA1-00000000A301}53842320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601540Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:36.634{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2EAC-6007-EDA1-00000000A301}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601539Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:36.634{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601538Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:36.634{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601537Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:36.634{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601536Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:36.634{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601535Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:36.634{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2EAC-6007-EDA1-00000000A301}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601534Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:36.634{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2EAC-6007-EDA1-00000000A301}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601533Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:36.637{5A2C5089-2EAC-6007-EDA1-00000000A301}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601559Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:37.916{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2EAD-6007-EFA1-00000000A301}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601558Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:37.916{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601557Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:37.916{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601556Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:37.916{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601555Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:37.916{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601554Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:37.916{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2EAD-6007-EFA1-00000000A301}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601553Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:37.916{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2EAD-6007-EFA1-00000000A301}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601552Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:37.917{5A2C5089-2EAD-6007-EFA1-00000000A301}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601551Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:37.447{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601550Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:37.447{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1000-00000000A301}1168C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601549Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:37.275{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2EAD-6007-EEA1-00000000A301}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601548Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:37.275{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601547Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:37.275{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601546Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:37.275{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601545Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:37.275{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601544Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:37.275{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-2EAD-6007-EEA1-00000000A301}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601543Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:37.275{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2EAD-6007-EEA1-00000000A301}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601542Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:37.277{5A2C5089-2EAD-6007-EEA1-00000000A301}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601569Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:38.744{5A2C5089-2EAE-6007-F0A1-00000000A301}69606944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601568Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:38.587{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2EAE-6007-F0A1-00000000A301}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601567Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:38.587{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601566Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:38.587{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601565Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:38.587{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601564Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:38.587{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601563Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:38.587{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-2EAE-6007-F0A1-00000000A301}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601562Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:38.587{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2EAE-6007-F0A1-00000000A301}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601561Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:38.589{5A2C5089-2EAE-6007-F0A1-00000000A301}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601560Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:10:38.181{5A2C5089-ED57-6001-0B00-00000000A301}8602232C:\Windows\system32\lsass.exe{5A2C5089-ED55-6001-0100-00000000A301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x8000000000000000601575Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:10:39.072{5A2C5089-ED5A-6001-1200-00000000A301}1208C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x8000000000000000601574Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:10:39.072{5A2C5089-ED5A-6001-1200-00000000A301}1208C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x8000000000000000601573Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:10:39.072{5A2C5089-ED5A-6001-1200-00000000A301}1208C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x8000000000000000601572Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:10:39.072{5A2C5089-ED5A-6001-1200-00000000A301}1208C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d6ee96-0xc6236bba) 13241300x8000000000000000601571Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:10:39.072{5A2C5089-ED5A-6001-1200-00000000A301}1208C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x8000000000000000601570Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:10:39.072{5A2C5089-ED5A-6001-1200-00000000A301}1208C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 13241300x8000000000000000601578Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:11:00.118{5A2C5089-ED6A-6001-3200-00000000A301}2764C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\0C308890-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_0C308890-0000-0000-0000-100000000000.XML 13241300x8000000000000000601577Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:11:00.102{5A2C5089-ED6A-6001-3200-00000000A301}2764C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9916ACFC-C6A5-411F-AB13-8F4D0BF713D8\Config SourceDWORD (0x00000001) 13241300x8000000000000000601576Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:11:00.102{5A2C5089-ED6A-6001-3200-00000000A301}2764C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9916ACFC-C6A5-411F-AB13-8F4D0BF713D8\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9916ACFC-C6A5-411F-AB13-8F4D0BF713D8.XML 10341000x8000000000000000601579Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:31.038{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-2CFC-6007-6EA1-00000000A301}1044C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601587Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:32.757{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2EE4-6007-F1A1-00000000A301}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601586Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:32.741{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601585Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:32.741{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601584Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:32.741{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601583Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:32.741{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601582Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:32.741{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-2EE4-6007-F1A1-00000000A301}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601581Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:32.741{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2EE4-6007-F1A1-00000000A301}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601580Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:32.742{5A2C5089-2EE4-6007-F1A1-00000000A301}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601627Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.570{5A2C5089-2EE5-6007-F2A1-00000000A301}68926928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601626Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.413{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2EE5-6007-F2A1-00000000A301}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601625Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.413{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601624Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.413{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601623Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.413{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601622Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.413{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601621Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.413{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-2EE5-6007-F2A1-00000000A301}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601620Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.413{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2EE5-6007-F2A1-00000000A301}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601619Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.414{5A2C5089-2EE5-6007-F2A1-00000000A301}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601618Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601617Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601616Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601615Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601614Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601613Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601612Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601611Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601610Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601609Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601608Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601607Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601606Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601605Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601604Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601603Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601602Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601601Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601600Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601599Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601598Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601597Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601596Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601595Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601594Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601593Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601592Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601591Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601590Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601589Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601588Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:33.085{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601645Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:34.757{5A2C5089-2EE6-6007-F4A1-00000000A301}66725396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601644Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:34.601{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2EE6-6007-F4A1-00000000A301}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601643Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:34.601{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601642Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:34.601{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601641Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:34.601{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601640Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:34.601{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601639Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:34.601{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2EE6-6007-F4A1-00000000A301}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601638Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:34.601{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2EE6-6007-F4A1-00000000A301}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601637Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:34.601{5A2C5089-2EE6-6007-F4A1-00000000A301}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601636Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:34.195{5A2C5089-2EE6-6007-F3A1-00000000A301}56685220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601635Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:34.038{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2EE6-6007-F3A1-00000000A301}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601634Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:34.038{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601633Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:34.038{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601632Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:34.038{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601631Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:34.038{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601630Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:34.038{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-2EE6-6007-F3A1-00000000A301}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601629Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:34.038{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2EE6-6007-F3A1-00000000A301}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601628Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:34.040{5A2C5089-2EE6-6007-F3A1-00000000A301}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601661Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:35.757{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2EE7-6007-F6A1-00000000A301}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601660Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:35.757{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601659Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:35.757{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601658Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:35.757{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601657Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:35.757{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601656Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:35.757{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-2EE7-6007-F6A1-00000000A301}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601655Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:35.757{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2EE7-6007-F6A1-00000000A301}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601654Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:35.758{5A2C5089-2EE7-6007-F6A1-00000000A301}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601653Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:35.210{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2EE7-6007-F5A1-00000000A301}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601652Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:35.210{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601651Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:35.210{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601650Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:35.210{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601649Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:35.210{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601648Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:35.210{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-2EE7-6007-F5A1-00000000A301}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601647Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:35.210{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2EE7-6007-F5A1-00000000A301}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601646Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:35.212{5A2C5089-2EE7-6007-F5A1-00000000A301}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601670Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:36.507{5A2C5089-2EE8-6007-F7A1-00000000A301}41485200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601669Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:36.351{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2EE8-6007-F7A1-00000000A301}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601668Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:36.351{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601667Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:36.351{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601666Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:36.351{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601665Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:36.351{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601664Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:36.351{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-2EE8-6007-F7A1-00000000A301}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601663Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:36.351{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2EE8-6007-F7A1-00000000A301}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601662Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:36.352{5A2C5089-2EE8-6007-F7A1-00000000A301}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601671Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:11:37.257{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-2D1F-6007-98A1-00000000A301}2908C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601679Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:32.739{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F20-6007-F8A1-00000000A301}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601678Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:32.739{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601677Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:32.739{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601676Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:32.739{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601675Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:32.739{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601674Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:32.739{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-2F20-6007-F8A1-00000000A301}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601673Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:32.739{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F20-6007-F8A1-00000000A301}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601672Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:32.740{5A2C5089-2F20-6007-F8A1-00000000A301}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601696Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:33.880{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F21-6007-FAA1-00000000A301}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601695Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:33.880{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601694Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:33.880{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601693Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:33.880{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601692Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:33.880{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601691Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:33.880{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-2F21-6007-FAA1-00000000A301}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601690Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:33.880{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F21-6007-FAA1-00000000A301}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601689Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:33.881{5A2C5089-2F21-6007-FAA1-00000000A301}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601688Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:33.411{5A2C5089-2F21-6007-F9A1-00000000A301}70166720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601687Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:33.255{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F21-6007-F9A1-00000000A301}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601686Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:33.255{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601685Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:33.255{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601684Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:33.255{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601683Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:33.255{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601682Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:33.255{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2F21-6007-F9A1-00000000A301}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601681Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:33.255{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F21-6007-F9A1-00000000A301}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601680Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:33.256{5A2C5089-2F21-6007-F9A1-00000000A301}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601705Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:34.708{5A2C5089-2F22-6007-FBA1-00000000A301}66606668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601704Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:34.551{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F22-6007-FBA1-00000000A301}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601703Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:34.551{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601702Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:34.551{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601701Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:34.551{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601700Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:34.551{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601699Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:34.551{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-2F22-6007-FBA1-00000000A301}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601698Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:34.551{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F22-6007-FBA1-00000000A301}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601697Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:34.552{5A2C5089-2F22-6007-FBA1-00000000A301}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601721Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:35.895{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F23-6007-FDA1-00000000A301}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601720Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:35.895{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601719Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:35.895{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601718Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:35.895{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601717Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:35.895{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601716Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:35.895{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2F23-6007-FDA1-00000000A301}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601715Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:35.895{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F23-6007-FDA1-00000000A301}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601714Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:35.896{5A2C5089-2F23-6007-FDA1-00000000A301}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601713Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:35.223{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F23-6007-FCA1-00000000A301}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601712Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:35.223{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601711Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:35.223{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601710Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:35.223{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601709Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:35.223{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601708Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:35.223{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-2F23-6007-FCA1-00000000A301}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601707Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:35.223{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F23-6007-FCA1-00000000A301}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601706Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:35.224{5A2C5089-2F23-6007-FCA1-00000000A301}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601731Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:36.716{5A2C5089-2F24-6007-FEA1-00000000A301}58846096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601730Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:36.567{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F24-6007-FEA1-00000000A301}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601729Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:36.567{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601728Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:36.567{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601727Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:36.567{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601726Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:36.567{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601725Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:36.567{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-2F24-6007-FEA1-00000000A301}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601724Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:36.567{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F24-6007-FEA1-00000000A301}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601723Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:36.568{5A2C5089-2F24-6007-FEA1-00000000A301}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601722Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:36.051{5A2C5089-2F23-6007-FDA1-00000000A301}43565168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601733Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:37.114{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2CFC-6007-6EA1-00000000A301}1044C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000601732Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:12:37.114{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2CFC-6007-6EA1-00000000A301}1044C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e0cc|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000601736Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:02.175{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1500-00000000A301}1500C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601735Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:02.175{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1500-00000000A301}1500C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601734Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:02.175{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1500-00000000A301}1500C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000601737Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localEXE2021-01-19 19:13:04.581{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\MSBuild.exe2021-01-19 19:13:04.581 10341000x8000000000000000601753Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:10.175{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2F46-6007-00A2-00000000A301}6964C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601752Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:10.175{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601751Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:10.175{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601750Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:10.175{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601749Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:10.175{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601748Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:10.175{5A2C5089-2CFA-6007-61A1-00000000A301}41646216C:\Windows\system32\csrss.exe{5A2C5089-2F46-6007-00A2-00000000A301}6964C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601747Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:10.175{5A2C5089-2D23-6007-99A1-00000000A301}7526856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5A2C5089-2F46-6007-00A2-00000000A301}6964C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8ae32a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f84130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f83e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8a35466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f44997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7fa2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f8635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f782e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f84814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f843b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f84130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f83e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8a35466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f44997(wow64) 154100x8000000000000000601746Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:10.178{5A2C5089-2F46-6007-00A2-00000000A301}6964C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000601745Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:10.159{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2F46-6007-FFA1-00000000A301}6744C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601744Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:10.159{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601743Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:10.159{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601742Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:10.159{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601741Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:10.159{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601740Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:10.159{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-2F46-6007-FFA1-00000000A301}6744C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601739Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:10.159{5A2C5089-2D23-6007-99A1-00000000A301}7526856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5A2C5089-2F46-6007-FFA1-00000000A301}6744C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8ae32a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f84130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f83e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8a35466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f44997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7fa2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f8635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f782e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f84814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f843b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f84130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f83e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8a35466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f44997(wow64) 154100x8000000000000000601738Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:10.166{5A2C5089-2F46-6007-FFA1-00000000A301}6744C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000601773Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.924{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2F50-6007-02A2-00000000A301}5592c:\temp\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601772Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.878{5A2C5089-ED5A-6001-1400-00000000A301}13242476C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601771Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.878{5A2C5089-2CFA-6007-61A1-00000000A301}41643176C:\Windows\system32\csrss.exe{5A2C5089-2F50-6007-02A2-00000000A301}5592c:\temp\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601770Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.878{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601769Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.878{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601768Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.878{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601767Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.878{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601766Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.862{5A2C5089-2F50-6007-01A2-00000000A301}55846708C:\Windows\system32\cmd.exe{5A2C5089-2F50-6007-02A2-00000000A301}5592c:\temp\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601765Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.875{5A2C5089-2F50-6007-02A2-00000000A301}5592C:\Temp\MSBuild.exe4.7.2053.0 built by: NET47REL1MSBuild.exeMicrosoft® .NET FrameworkMicrosoft CorporationMSBuild.exec:\temp\msbuild.exe C:\AtomicRedTeam\atomics\T1127.001\src\T1127.001.csproj C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=25AF350BC14E22D38408E60A71DF6A73,SHA256=10332B7807D8397DAB04D8796C418B0074C1980CD88CBA0CFAFE9491D1C71AAF,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5A2C5089-2F50-6007-01A2-00000000A301}5584C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "c:\temp\msbuild.exe C:\AtomicRedTeam\atomics\T1127.001\src\T1127.001.csproj" 10341000x8000000000000000601764Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.862{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2F50-6007-01A2-00000000A301}5584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601763Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.862{5A2C5089-2D23-6007-99A1-00000000A301}7526856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5A2C5089-2F50-6007-01A2-00000000A301}5584C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF8851D7AA3) 10341000x8000000000000000601762Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.862{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601761Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.862{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601760Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.862{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601759Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.862{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601758Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.862{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-2F50-6007-01A2-00000000A301}5584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601757Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.862{5A2C5089-2D23-6007-99A1-00000000A301}7526856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5A2C5089-2F50-6007-01A2-00000000A301}5584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f83743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f835b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8005de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f7c19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8a35392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f44997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7fa2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f864cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f8635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7f782e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7fb1471(wow64) 154100x8000000000000000601756Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.867{5A2C5089-2F50-6007-01A2-00000000A301}5584C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "c:\temp\msbuild.exe C:\AtomicRedTeam\atomics\T1127.001\src\T1127.001.csproj" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x8000000000000000601755Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.862{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-01-19 19:13:20.862 11241100x8000000000000000601754Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:20.862{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-01-19 19:13:20.862 11241100x8000000000000000601812Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:13:21.268{5A2C5089-2F51-6007-05A2-00000000A301}2208C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\bgu1lqj4\bgu1lqj4.dll2021-01-19 19:13:21.174 10341000x8000000000000000601811Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.253{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2F51-6007-06A2-00000000A301}5856C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601810Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.253{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601809Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.253{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601808Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.253{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601807Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.253{5A2C5089-2CFA-6007-61A1-00000000A301}41644392C:\Windows\system32\csrss.exe{5A2C5089-2F51-6007-06A2-00000000A301}5856C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601806Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.253{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601805Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.253{5A2C5089-2F51-6007-05A2-00000000A301}22083872C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe{5A2C5089-2F51-6007-06A2-00000000A301}5856C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+11aa1(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+bcc5(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+be25(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+beb8(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+ab93(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+accc(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+a078(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+b380e|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+9fe23|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+74c1c|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+62696 154100x8000000000000000601804Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.256{5A2C5089-2F51-6007-06A2-00000000A301}5856C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESD8F8.tmp" "c:\Users\Administrator\AppData\Local\Temp\bgu1lqj4\CSC3B5AB55D71454C12A184D58AFA9E2BEA.TMP"C:\AtomicRedTeam\atomics\T1127.001\src\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=C09985AE74F0882F208D75DE27770DFA,SHA256=E24570ABD130832732D0DD3EC4EFB6E3E1835064513C8B8A2B1AE0D530B04534,IMPHASH=49D51E5A9546CAB5B1356F947A3B973C{5A2C5089-2F51-6007-05A2-00000000A301}2208C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\bgu1lqj4\bgu1lqj4.cmdline" 10341000x8000000000000000601803Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.174{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2F51-6007-05A2-00000000A301}2208C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601802Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.174{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601801Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.174{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601800Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.174{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601799Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.174{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601798Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.174{5A2C5089-2CFA-6007-61A1-00000000A301}41644392C:\Windows\system32\csrss.exe{5A2C5089-2F51-6007-05A2-00000000A301}2208C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601797Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.174{5A2C5089-2F50-6007-02A2-00000000A301}55921112c:\temp\MSBuild.exe{5A2C5089-2F51-6007-05A2-00000000A301}2208C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+22a51d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+19697d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+1964e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+196499(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+19547c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+614e95(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+614624(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+60c0d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\cfc53d6c124db195e5f6af02dd1912f6\Microsoft.Build.Tasks.v4.0.ni.dll+6f68888a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\cfc53d6c124db195e5f6af02dd1912f6\Microsoft.Build.Tasks.v4.0.ni.dll+6f68757b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\25c1e294abb735746f14e8a032b17a48\Microsoft.Build.ni.dll+177258(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\25c1e294abb735746f14e8a032b17a48\Microsoft.Build.ni.dll+176974(wow64) 154100x8000000000000000601796Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.180{5A2C5089-2F51-6007-05A2-00000000A301}2208C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\bgu1lqj4\bgu1lqj4.cmdline"C:\AtomicRedTeam\atomics\T1127.001\src\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=EB70BF071EC54BF0C29408FFDB89E3BB,SHA256=3CAAD75ADEC05EC7D8568DA01300D06EAC7189BF1C9E42B169BA539A5D469E1C,IMPHASH=30324BFA092EB7BAA283AE5E9D2911B0{5A2C5089-2F50-6007-02A2-00000000A301}5592C:\Temp\MSBuild.exec:\temp\msbuild.exe C:\AtomicRedTeam\atomics\T1127.001\src\T1127.001.csproj 11241100x8000000000000000601795Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.174{5A2C5089-2F50-6007-02A2-00000000A301}5592c:\temp\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\bgu1lqj4\bgu1lqj4.cmdline2021-01-19 19:13:21.174 11241100x8000000000000000601794Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:13:21.174{5A2C5089-2F50-6007-02A2-00000000A301}5592c:\temp\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\bgu1lqj4\bgu1lqj4.dll2021-01-19 19:13:21.174 11241100x8000000000000000601793Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:13:21.143{5A2C5089-2F51-6007-03A2-00000000A301}4128C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\cwrkd3vk\cwrkd3vk.dll2021-01-19 19:13:21.034 10341000x8000000000000000601792Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.128{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2F51-6007-04A2-00000000A301}5388C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601791Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.128{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601790Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.128{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601789Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.128{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601788Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.128{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601787Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.128{5A2C5089-2CFA-6007-61A1-00000000A301}41643176C:\Windows\system32\csrss.exe{5A2C5089-2F51-6007-04A2-00000000A301}5388C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601786Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.128{5A2C5089-2F51-6007-03A2-00000000A301}41285736C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe{5A2C5089-2F51-6007-04A2-00000000A301}5388C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+11aa1(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+bcc5(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+be25(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+beb8(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+ab93(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+accc(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll+a078(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+b380e|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+9fe23|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+74c1c|C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe+62696 154100x8000000000000000601785Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.131{5A2C5089-2F51-6007-04A2-00000000A301}5388C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESD87B.tmp" "c:\Users\Administrator\AppData\Local\Temp\cwrkd3vk\CSC869B8B1C8F6C4C47B19EFE365662A3AD.TMP"C:\AtomicRedTeam\atomics\T1127.001\src\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=C09985AE74F0882F208D75DE27770DFA,SHA256=E24570ABD130832732D0DD3EC4EFB6E3E1835064513C8B8A2B1AE0D530B04534,IMPHASH=49D51E5A9546CAB5B1356F947A3B973C{5A2C5089-2F51-6007-03A2-00000000A301}4128C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\cwrkd3vk\cwrkd3vk.cmdline" 10341000x8000000000000000601784Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.049{5A2C5089-2D23-6007-9AA1-00000000A301}66166780C:\Windows\system32\conhost.exe{5A2C5089-2F51-6007-03A2-00000000A301}4128C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601783Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.049{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601782Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.049{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601781Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.049{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601780Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.049{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601779Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.049{5A2C5089-2CFA-6007-61A1-00000000A301}41643176C:\Windows\system32\csrss.exe{5A2C5089-2F51-6007-03A2-00000000A301}4128C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601778Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.049{5A2C5089-2F50-6007-02A2-00000000A301}55921112c:\temp\MSBuild.exe{5A2C5089-2F51-6007-03A2-00000000A301}4128C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+22a51d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+19697d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+1964e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+196499(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+19547c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+614e95(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+614624(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\a2e27c93a744505a2baf34e9e7f9514f\System.ni.dll+60c0d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\cfc53d6c124db195e5f6af02dd1912f6\Microsoft.Build.Tasks.v4.0.ni.dll+6f68888a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\cfc53d6c124db195e5f6af02dd1912f6\Microsoft.Build.Tasks.v4.0.ni.dll+6f68757b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\25c1e294abb735746f14e8a032b17a48\Microsoft.Build.ni.dll+177258(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\25c1e294abb735746f14e8a032b17a48\Microsoft.Build.ni.dll+176974(wow64) 154100x8000000000000000601777Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.050{5A2C5089-2F51-6007-03A2-00000000A301}4128C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\cwrkd3vk\cwrkd3vk.cmdline"C:\AtomicRedTeam\atomics\T1127.001\src\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=EB70BF071EC54BF0C29408FFDB89E3BB,SHA256=3CAAD75ADEC05EC7D8568DA01300D06EAC7189BF1C9E42B169BA539A5D469E1C,IMPHASH=30324BFA092EB7BAA283AE5E9D2911B0{5A2C5089-2F50-6007-02A2-00000000A301}5592C:\Temp\MSBuild.exec:\temp\msbuild.exe C:\AtomicRedTeam\atomics\T1127.001\src\T1127.001.csproj 11241100x8000000000000000601776Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.034{5A2C5089-2F50-6007-02A2-00000000A301}5592c:\temp\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\cwrkd3vk\cwrkd3vk.cmdline2021-01-19 19:13:21.034 11241100x8000000000000000601775Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:13:21.034{5A2C5089-2F50-6007-02A2-00000000A301}5592c:\temp\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\cwrkd3vk\cwrkd3vk.dll2021-01-19 19:13:21.034 10341000x8000000000000000601774Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:21.003{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2F50-6007-02A2-00000000A301}5592c:\temp\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601813Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:25.971{5A2C5089-ED57-6001-0B00-00000000A301}8604880C:\Windows\system32\lsass.exe{5A2C5089-ED55-6001-0100-00000000A301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000601821Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:32.768{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F5C-6007-07A2-00000000A301}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601820Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:32.752{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601819Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:32.752{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601818Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:32.752{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601817Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:32.752{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601816Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:32.752{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-2F5C-6007-07A2-00000000A301}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601815Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:32.752{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F5C-6007-07A2-00000000A301}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601814Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:32.753{5A2C5089-2F5C-6007-07A2-00000000A301}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601830Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:33.721{5A2C5089-2F5D-6007-08A2-00000000A301}24726752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601829Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:33.565{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F5D-6007-08A2-00000000A301}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601828Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:33.565{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601827Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:33.565{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601826Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:33.565{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601825Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:33.565{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601824Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:33.565{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2F5D-6007-08A2-00000000A301}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601823Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:33.565{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F5D-6007-08A2-00000000A301}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601822Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:33.424{5A2C5089-2F5D-6007-08A2-00000000A301}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601876Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.814{5A2C5089-2F5E-6007-0AA2-00000000A301}70446720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601875Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.674{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F5E-6007-0AA2-00000000A301}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601874Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.674{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601873Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.674{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601872Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.674{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601871Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.674{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601870Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.674{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-2F5E-6007-0AA2-00000000A301}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601869Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.674{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F5E-6007-0AA2-00000000A301}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601868Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.674{5A2C5089-2F5E-6007-0AA2-00000000A301}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601867Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.127{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F5E-6007-09A2-00000000A301}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601866Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.127{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601865Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.127{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601864Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.127{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601863Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.127{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601862Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.127{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-2F5E-6007-09A2-00000000A301}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601861Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.127{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F5E-6007-09A2-00000000A301}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601860Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.128{5A2C5089-2F5E-6007-09A2-00000000A301}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601859Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601858Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601857Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601856Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601855Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601854Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601853Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601852Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601851Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601850Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601849Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601848Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601847Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601846Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601845Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601844Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601843Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601842Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601841Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601840Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601839Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601838Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601837Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601836Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601835Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601834Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601833Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601832Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601831Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:34.096{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601893Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:35.939{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F5F-6007-0CA2-00000000A301}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601892Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:35.939{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601891Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:35.939{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601890Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:35.939{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601889Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:35.939{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601888Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:35.939{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-2F5F-6007-0CA2-00000000A301}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601887Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:35.939{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F5F-6007-0CA2-00000000A301}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601886Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:35.940{5A2C5089-2F5F-6007-0CA2-00000000A301}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601885Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:35.424{5A2C5089-2F5F-6007-0BA2-00000000A301}66527024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601884Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:35.268{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F5F-6007-0BA2-00000000A301}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601883Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:35.268{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601882Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:35.268{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601881Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:35.268{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601880Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:35.268{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601879Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:35.268{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-2F5F-6007-0BA2-00000000A301}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601878Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:35.268{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F5F-6007-0BA2-00000000A301}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601877Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:35.270{5A2C5089-2F5F-6007-0BA2-00000000A301}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601904Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:36.767{5A2C5089-2F60-6007-0DA2-00000000A301}16565252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601903Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:36.760{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601902Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:36.760{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601901Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:36.611{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F60-6007-0DA2-00000000A301}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601900Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:36.611{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601899Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:36.611{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601898Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:36.611{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601897Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:36.611{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601896Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:36.611{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-2F60-6007-0DA2-00000000A301}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601895Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:36.611{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F60-6007-0DA2-00000000A301}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601894Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:13:36.612{5A2C5089-2F60-6007-0DA2-00000000A301}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000601914Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:13:46.751{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000601913Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:13:46.751{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x148a3c94) 13241300x8000000000000000601912Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:13:46.751{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ee8e-0xd417491d) 13241300x8000000000000000601911Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:13:46.751{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ee97-0x35dbb11d) 13241300x8000000000000000601910Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:13:46.751{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ee9f-0x97a0191d) 13241300x8000000000000000601909Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:13:46.751{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000601908Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:13:46.751{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x148a3c94) 13241300x8000000000000000601907Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:13:46.751{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ee8e-0xd417491d) 13241300x8000000000000000601906Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:13:46.751{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ee97-0x35dbb11d) 13241300x8000000000000000601905Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:13:46.751{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ee9f-0x97a0191d) 10341000x8000000000000000601915Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:26.437{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601925Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:32.937{5A2C5089-2F98-6007-0EA2-00000000A301}69563376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601924Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:32.781{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F98-6007-0EA2-00000000A301}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601923Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:32.765{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601922Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:32.765{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601921Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:32.765{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601920Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:32.765{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601919Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:32.765{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-2F98-6007-0EA2-00000000A301}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601918Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:32.765{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F98-6007-0EA2-00000000A301}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601917Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:32.766{5A2C5089-2F98-6007-0EA2-00000000A301}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601916Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:32.046{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601942Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:33.953{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F99-6007-10A2-00000000A301}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601941Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:33.953{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601940Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:33.953{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601939Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:33.953{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601938Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:33.953{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601937Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:33.953{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2F99-6007-10A2-00000000A301}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601936Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:33.953{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F99-6007-10A2-00000000A301}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601935Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:33.953{5A2C5089-2F99-6007-10A2-00000000A301}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601934Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:33.437{5A2C5089-2F99-6007-0FA2-00000000A301}19403636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601933Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:33.281{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F99-6007-0FA2-00000000A301}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601932Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:33.281{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601931Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:33.281{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601930Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:33.281{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601929Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:33.281{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601928Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:33.281{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-2F99-6007-0FA2-00000000A301}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601927Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:33.281{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F99-6007-0FA2-00000000A301}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601926Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:33.282{5A2C5089-2F99-6007-0FA2-00000000A301}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601951Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:34.781{5A2C5089-2F9A-6007-11A2-00000000A301}64325916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601950Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:34.624{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F9A-6007-11A2-00000000A301}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601949Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:34.624{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601948Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:34.624{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601947Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:34.624{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601946Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:34.624{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601945Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:34.624{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2F9A-6007-11A2-00000000A301}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601944Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:34.624{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F9A-6007-11A2-00000000A301}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601943Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:34.625{5A2C5089-2F9A-6007-11A2-00000000A301}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601967Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:35.921{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F9B-6007-13A2-00000000A301}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601966Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:35.921{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601965Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:35.921{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601964Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:35.921{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601963Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:35.921{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601962Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:35.921{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2F9B-6007-13A2-00000000A301}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601961Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:35.921{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F9B-6007-13A2-00000000A301}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601960Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:35.922{5A2C5089-2F9B-6007-13A2-00000000A301}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601959Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:35.296{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F9B-6007-12A2-00000000A301}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601958Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:35.296{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601957Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:35.296{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601956Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:35.296{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601955Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:35.296{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601954Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:35.296{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2F9B-6007-12A2-00000000A301}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601953Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:35.296{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F9B-6007-12A2-00000000A301}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601952Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:35.297{5A2C5089-2F9B-6007-12A2-00000000A301}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000601976Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:36.702{5A2C5089-2F9C-6007-14A2-00000000A301}69684256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601975Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:36.546{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2F9C-6007-14A2-00000000A301}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601974Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:36.546{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601973Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:36.546{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601972Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:36.546{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601971Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:36.546{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601970Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:36.546{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-2F9C-6007-14A2-00000000A301}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000601969Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:36.546{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2F9C-6007-14A2-00000000A301}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000601968Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:36.547{5A2C5089-2F9C-6007-14A2-00000000A301}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000602026Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.687{5A2C5089-ED5A-6001-1600-00000000A301}15361164C:\Windows\system32\svchost.exe{5A2C5089-2FA1-6007-16A2-00000000A301}6320C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602025Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.687{5A2C5089-ED5A-6001-1600-00000000A301}15361572C:\Windows\system32\svchost.exe{5A2C5089-2FA1-6007-16A2-00000000A301}6320C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602024Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.671{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2FA1-6007-16A2-00000000A301}6320C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602023Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.671{5A2C5089-2CFA-6007-61A1-00000000A301}41646216C:\Windows\system32\csrss.exe{5A2C5089-2FA1-6007-16A2-00000000A301}6320C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602022Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.671{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-2FA1-6007-16A2-00000000A301}6320C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602021Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.671{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2FA1-6007-16A2-00000000A301}6320C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602020Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.655{5A2C5089-ED5A-6001-1600-00000000A301}15361164C:\Windows\system32\svchost.exe{5A2C5089-2FA1-6007-15A2-00000000A301}5352C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602019Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.655{5A2C5089-ED5A-6001-1600-00000000A301}15361572C:\Windows\system32\svchost.exe{5A2C5089-2FA1-6007-15A2-00000000A301}5352C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602018Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.640{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2FA1-6007-15A2-00000000A301}5352C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602017Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.640{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-2FA1-6007-15A2-00000000A301}5352C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602016Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.640{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2FA1-6007-15A2-00000000A301}5352C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602015Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.640{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2FA1-6007-15A2-00000000A301}5352C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602014Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.624{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602013Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.624{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602012Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.624{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602011Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.624{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602010Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.609{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602009Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.609{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602008Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602007Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602006Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602005Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602004Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602003Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0D00-00000000A301}5801340C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602002Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0D00-00000000A301}5801340C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602001Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0D00-00000000A301}5801340C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602000Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0D00-00000000A301}5801340C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601999Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0D00-00000000A301}5801340C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601998Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0D00-00000000A301}5801340C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601997Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0D00-00000000A301}5801340C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601996Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0D00-00000000A301}5801340C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601995Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0D00-00000000A301}5801340C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601994Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0D00-00000000A301}5801340C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601993Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0D00-00000000A301}5801340C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601992Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0D00-00000000A301}5801340C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601991Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0D00-00000000A301}5801340C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601990Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0D00-00000000A301}5801340C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601989Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a344|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601988Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601987Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601986Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000601985Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000601984Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000601983Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601982Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601981Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-2CFD-6007-76A1-00000000A301}22564524C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601980Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-2CFD-6007-76A1-00000000A301}22564524C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601979Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601978Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x8000000000000000601977Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:41.593{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x8000000000000000602081Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.499{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602080Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.499{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602079Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.499{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602078Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.437{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602077Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.437{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602076Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.437{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602075Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.437{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602074Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.437{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602073Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.437{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602072Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.437{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602071Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.437{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602070Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.390{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602069Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.390{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602068Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.390{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602067Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.390{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602066Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.390{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602065Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.390{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602064Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.390{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602063Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.390{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602062Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.312{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602061Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.312{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602060Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.312{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602059Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.312{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602058Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.312{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602057Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.312{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602056Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.312{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602055Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.312{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602054Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.218{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602053Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.218{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602052Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.218{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602051Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.218{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602050Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.218{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602049Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.218{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602048Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.218{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602047Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.218{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602046Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.093{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602045Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.093{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602044Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.093{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602043Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.093{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602042Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.093{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602041Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.093{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602040Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.093{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602039Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.093{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602038Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.093{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602037Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.093{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602036Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.093{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000602035Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.093{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000602034Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.077{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602033Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.077{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602032Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.077{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602031Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.077{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602030Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.077{5A2C5089-2CFD-6007-76A1-00000000A301}22565596C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602029Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.077{5A2C5089-2CFD-6007-76A1-00000000A301}22565596C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602028Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.077{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602027Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:43.077{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602089Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:45.905{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602088Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:45.905{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602087Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:45.905{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602086Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:45.905{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602085Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:45.905{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602084Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:45.905{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602083Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:45.905{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602082Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:45.905{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602115Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.624{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602114Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.624{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602113Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.468{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602112Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.468{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602111Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.468{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602110Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.468{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602109Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.468{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602108Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.468{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602107Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.468{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602106Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.468{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602105Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.280{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602104Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.280{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602103Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.280{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602102Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.280{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602101Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.280{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602100Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.280{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602099Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.280{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602098Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.280{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602097Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.108{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602096Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.108{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602095Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.108{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602094Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.108{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602093Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.108{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602092Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.108{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602091Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.108{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602090Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:46.108{5A2C5089-2CFC-6007-6CA1-00000000A301}22886176C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602145Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.983{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602144Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.968{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602143Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.968{5A2C5089-2CFD-6007-76A1-00000000A301}22564524C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602142Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.968{5A2C5089-2CFD-6007-76A1-00000000A301}22564524C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602141Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.968{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602140Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.968{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602139Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.968{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602138Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.968{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602137Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.968{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602136Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.968{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602135Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.968{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602134Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.968{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602133Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.968{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602132Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.968{5A2C5089-2CFD-6007-76A1-00000000A301}22564524C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602131Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.968{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602130Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.968{5A2C5089-2CFD-6007-76A1-00000000A301}22564524C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602129Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.968{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x8000000000000000602128Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.968{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x8000000000000000602127Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.890{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602126Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.890{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602125Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.890{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602124Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.890{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602123Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.890{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602122Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.890{5A2C5089-2CFD-6007-76A1-00000000A301}22564524C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602121Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.890{5A2C5089-2CFD-6007-76A1-00000000A301}22564524C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602120Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.890{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602119Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.890{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602118Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.890{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602117Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.890{5A2C5089-2CFD-6007-76A1-00000000A301}22564524C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602116Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:47.890{5A2C5089-2CFD-6007-76A1-00000000A301}22564524C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602149Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:48.608{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602148Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:48.608{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602147Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:48.608{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602146Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:48.608{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602187Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.983{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602186Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.983{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602185Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.983{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602184Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.983{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602183Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.983{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602182Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.374{5A2C5089-ED5A-6001-1600-00000000A301}15361164C:\Windows\system32\svchost.exe{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602181Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.374{5A2C5089-ED5A-6001-1600-00000000A301}15361572C:\Windows\system32\svchost.exe{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602180Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.343{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602179Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.343{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602178Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.343{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602177Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.343{5A2C5089-2CFD-6007-76A1-00000000A301}22565344C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602176Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.343{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602175Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.343{5A2C5089-2CFD-6007-76A1-00000000A301}22565344C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602174Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.327{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602173Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.327{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602172Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.327{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602171Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.327{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602170Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.327{5A2C5089-2CFA-6007-61A1-00000000A301}41646216C:\Windows\system32\csrss.exe{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602169Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.327{5A2C5089-2CFD-6007-76A1-00000000A301}22564488C:\Windows\Explorer.EXE{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+8fe71|C:\Windows\System32\SHELL32.dll+8ecd6|C:\Windows\System32\SHELL32.dll+cfbb1|C:\Windows\System32\SHELL32.dll+b5dbe|C:\Windows\System32\windows.storage.dll+2d1a2|C:\Windows\System32\windows.storage.dll+2ce99|C:\Windows\System32\windows.storage.dll+2cd6f|C:\Windows\System32\SHELL32.dll+cfc37|C:\Windows\System32\SHELL32.dll+b5dbe|C:\Windows\System32\SHELL32.dll+17024f 154100x8000000000000000602168Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.330{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\System32\ServerManager.exe10.0.14393.2608 (rs1_release.181024-1742)Server ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationservermanager.dll"C:\Windows\system32\ServerManager.exe" C:\Windows\system32\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=83D44E309295488A933B084288B976D8,SHA256=A143F35F4F8674340F71A4669BCD8E7F82A6FC3E2FB682AA56B2D4E1E153A7B2,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000602167Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.311{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602166Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.311{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602165Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.311{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000602164Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.311{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000602163Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.311{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602162Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.311{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602161Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.296{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602160Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.296{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602159Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.296{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602158Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.296{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602157Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.296{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602156Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.296{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602155Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.296{5A2C5089-2CFD-6007-76A1-00000000A301}22564524C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602154Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.296{5A2C5089-2CFD-6007-76A1-00000000A301}22564524C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602153Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.296{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602152Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.296{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602151Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.296{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602150Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:49.296{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602235Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.929{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602234Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.929{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602233Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.929{5A2C5089-ED57-6001-0B00-00000000A301}8602232C:\Windows\system32\lsass.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602232Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.861{5A2C5089-ED5A-6001-1600-00000000A301}15366096C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-19A2-00000000A301}5640C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602231Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.851{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-19A2-00000000A301}5640C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602230Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.814{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-2FAA-6007-19A2-00000000A301}5640C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602229Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.814{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-19A2-00000000A301}5640C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602228Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.801{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602227Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.801{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602226Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.801{5A2C5089-ED57-6001-0B00-00000000A301}8602232C:\Windows\system32\lsass.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602225Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.764{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602224Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.764{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602223Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.764{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602222Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.764{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602221Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.749{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602220Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.749{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602219Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.749{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602218Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.749{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602217Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.749{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602216Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.749{5A2C5089-ED57-6001-0B00-00000000A301}8602232C:\Windows\system32\lsass.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602215Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.749{5A2C5089-ED57-6001-0B00-00000000A301}8602232C:\Windows\system32\lsass.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602214Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.749{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602213Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.749{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602212Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.749{5A2C5089-ED57-6001-0B00-00000000A301}8602232C:\Windows\system32\lsass.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602211Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.686{5A2C5089-ED5A-6001-1600-00000000A301}15365164C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602210Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.671{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602209Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.655{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602208Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.655{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602207Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.639{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602206Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.639{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602205Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.639{5A2C5089-ED57-6001-0B00-00000000A301}8602232C:\Windows\system32\lsass.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602204Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.546{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602203Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.546{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602202Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.499{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+f754|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602201Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.499{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+f754|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602200Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.499{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602199Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.499{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602198Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.499{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602197Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.452{5A2C5089-ED5A-6001-1000-00000000A301}11681856C:\Windows\system32\svchost.exe{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602196Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.452{5A2C5089-ED5A-6001-1000-00000000A301}11681856C:\Windows\system32\svchost.exe{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602195Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.452{5A2C5089-ED5A-6001-1000-00000000A301}11681856C:\Windows\system32\svchost.exe{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602194Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.374{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602193Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.374{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602192Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.374{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602191Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.374{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602190Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.171{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602189Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.046{5A2C5089-ED57-6001-0B00-00000000A301}8602232C:\Windows\system32\lsass.exe{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602188Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:50.046{5A2C5089-ED57-6001-0B00-00000000A301}8602232C:\Windows\system32\lsass.exe{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602247Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:51.982{5A2C5089-2FAB-6007-1CA2-00000000A301}67645500C:\Windows\system32\conhost.exe{5A2C5089-2FAB-6007-1AA2-00000000A301}5248C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602246Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:51.967{5A2C5089-2CFA-6007-61A1-00000000A301}41643176C:\Windows\system32\csrss.exe{5A2C5089-2FAB-6007-1CA2-00000000A301}6764C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602245Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:51.952{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602244Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:51.951{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602243Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:51.951{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602242Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:51.951{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602241Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:51.951{5A2C5089-2CFA-6007-61A1-00000000A301}41646216C:\Windows\system32\csrss.exe{5A2C5089-2FAB-6007-1AA2-00000000A301}5248C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602240Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:51.950{5A2C5089-2FA9-6007-17A2-00000000A301}66406360C:\Windows\system32\ServerManager.exe{5A2C5089-2FAB-6007-1AA2-00000000A301}5248C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\7945c23890110f8cc8a334e3d6b99dac\Microsoft.Windows.ServerManager.Common.ni.dll+260(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\7945c23890110f8cc8a334e3d6b99dac\Microsoft.Windows.ServerManager.Common.ni.dll+260(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\7945c23890110f8cc8a334e3d6b99dac\Microsoft.Windows.ServerManager.Common.ni.dll+260(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6873|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6728|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1b62ad|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1b5def|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1fb5d602b6f8dd4b8d971ddbd1490fb3\mscorlib.ni.dll+f23554|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1fb5d602b6f8dd4b8d971ddbd1490fb3\mscorlib.ni.dll+505ab3|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1fb5d602b6f8dd4b8d971ddbd1490fb3\mscorlib.ni.dll+505944|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1fb5d602b6f8dd4b8d971ddbd1490fb3\mscorlib.ni.dll+545b43|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1fb5d602b6f8dd4b8d971ddbd1490fb3\mscorlib.ni.dll+544e22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6873|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6728|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6dfd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+bf39|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+75c1 154100x8000000000000000602239Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:51.950{5A2C5089-2FAB-6007-1AA2-00000000A301}5248C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 10341000x8000000000000000602238Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:51.950{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602237Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:51.950{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602236Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:51.950{5A2C5089-ED57-6001-0B00-00000000A301}8602232C:\Windows\system32\lsass.exe{5A2C5089-ED57-6001-0A00-00000000A301}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000602261Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:52.560{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.3503 (rs1_release.200131-0410)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=4B455FA2A15BE4C278D0D655A7EA9543,SHA256=1C04ABE14400CC4175704B08D008454820BBF14BFECE1934A82756A6037E681B,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 10341000x8000000000000000602260Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:52.389{5A2C5089-2FAB-6007-1BA2-00000000A301}65444748C:\Windows\system32\sppsvc.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d889|C:\Windows\system32\sppsvc.exe+7ec28|C:\Windows\system32\sppsvc.exe+749f0|C:\Windows\system32\sppsvc.exe+95a0e|C:\Windows\system32\sppsvc.exe+54717|C:\Windows\system32\sppsvc.exe+a1ebb|C:\Windows\system32\sppsvc.exe+b429a|C:\Windows\system32\sppsvc.exe+b458f|C:\Windows\system32\RPCRT4.dll+78e23|C:\Windows\system32\RPCRT4.dll+d96bd|C:\Windows\system32\RPCRT4.dll+6194c|C:\Windows\system32\RPCRT4.dll+52bf4|C:\Windows\system32\RPCRT4.dll+51b0d|C:\Windows\system32\RPCRT4.dll+523bb|C:\Windows\system32\RPCRT4.dll+2469c|C:\Windows\system32\RPCRT4.dll+24b1c|C:\Windows\system32\RPCRT4.dll+111bc|C:\Windows\system32\RPCRT4.dll+12a1b|C:\Windows\system32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4 10341000x8000000000000000602259Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:52.389{5A2C5089-2FAB-6007-1BA2-00000000A301}65444748C:\Windows\system32\sppsvc.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d889|C:\Windows\system32\sppsvc.exe+74b0a|C:\Windows\system32\sppsvc.exe+959c1|C:\Windows\system32\sppsvc.exe+54717|C:\Windows\system32\sppsvc.exe+a1ebb|C:\Windows\system32\sppsvc.exe+b429a|C:\Windows\system32\sppsvc.exe+b458f|C:\Windows\system32\RPCRT4.dll+78e23|C:\Windows\system32\RPCRT4.dll+d96bd|C:\Windows\system32\RPCRT4.dll+6194c|C:\Windows\system32\RPCRT4.dll+52bf4|C:\Windows\system32\RPCRT4.dll+51b0d|C:\Windows\system32\RPCRT4.dll+523bb|C:\Windows\system32\RPCRT4.dll+2469c|C:\Windows\system32\RPCRT4.dll+24b1c|C:\Windows\system32\RPCRT4.dll+111bc|C:\Windows\system32\RPCRT4.dll+12a1b|C:\Windows\system32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000602258Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:52.158{5A2C5089-2FAB-6007-1AA2-00000000A301}5248C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000602257Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:52.134{5A2C5089-ED57-6001-0B00-00000000A301}8602488C:\Windows\system32\lsass.exe{5A2C5089-2FAB-6007-1AA2-00000000A301}5248C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602256Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:52.133{5A2C5089-ED57-6001-0B00-00000000A301}8602488C:\Windows\system32\lsass.exe{5A2C5089-2FAB-6007-1AA2-00000000A301}5248C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602255Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:52.071{5A2C5089-ED5A-6001-1600-00000000A301}15363564C:\Windows\system32\svchost.exe{5A2C5089-2FAB-6007-1AA2-00000000A301}5248C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602254Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:52.071{5A2C5089-ED5A-6001-1600-00000000A301}15361572C:\Windows\system32\svchost.exe{5A2C5089-2FAB-6007-1AA2-00000000A301}5248C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602253Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:52.056{5A2C5089-ED5A-6001-1600-00000000A301}15363564C:\Windows\system32\svchost.exe{5A2C5089-2FAB-6007-1CA2-00000000A301}6764C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602252Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:52.056{5A2C5089-ED5A-6001-1600-00000000A301}15361572C:\Windows\system32\svchost.exe{5A2C5089-2FAB-6007-1CA2-00000000A301}6764C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602251Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:52.048{5A2C5089-ED57-6001-0A00-00000000A301}8521140C:\Windows\system32\services.exe{5A2C5089-2FAB-6007-1BA2-00000000A301}6544C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602250Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:52.047{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAB-6007-1BA2-00000000A301}6544C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602249Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:52.016{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-2FAB-6007-1BA2-00000000A301}6544C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602248Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:52.016{5A2C5089-ED57-6001-0A00-00000000A301}8524936C:\Windows\system32\services.exe{5A2C5089-2FAB-6007-1BA2-00000000A301}6544C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602273Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:53.684{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602272Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:53.684{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602271Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:53.684{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602270Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:53.657{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602269Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:53.656{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602268Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:53.656{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602267Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:53.656{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602266Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:53.655{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602265Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:53.655{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602264Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:53.654{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602263Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:53.654{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602262Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:53.654{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602286Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:54.774{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602285Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:54.774{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602284Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:54.774{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602283Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:54.774{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602282Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:54.773{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602281Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:54.773{5A2C5089-2CFC-6007-6DA1-00000000A301}1344184C:\Windows\system32\sihost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602280Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:54.615{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602279Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:54.615{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602278Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:54.615{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602277Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:54.461{5A2C5089-ED5A-6001-1600-00000000A301}15362440C:\Windows\system32\svchost.exe{5A2C5089-2FAE-6007-1DA2-00000000A301}4976C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602276Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:54.444{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2FAE-6007-1DA2-00000000A301}4976C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602275Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:54.395{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-2FAE-6007-1DA2-00000000A301}4976C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602274Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:54.395{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2FAE-6007-1DA2-00000000A301}4976C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602308Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.967{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602307Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.967{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602306Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.967{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602305Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.967{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602304Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.967{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602303Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.967{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602302Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.967{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602301Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.967{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602300Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.967{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602299Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.967{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602298Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.967{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602297Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.967{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602296Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.967{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602295Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.920{5A2C5089-ED5A-6001-1600-00000000A301}15363212C:\Windows\system32\svchost.exe{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602294Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.920{5A2C5089-ED5A-6001-1600-00000000A301}15361572C:\Windows\system32\svchost.exe{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602293Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.874{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602292Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.874{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602291Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.874{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602290Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.874{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602289Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.874{5A2C5089-2CFA-6007-61A1-00000000A301}41644392C:\Windows\system32\csrss.exe{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602288Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.858{5A2C5089-2FA9-6007-17A2-00000000A301}66406660-{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\shell32.dll+8d42f|C:\Windows\System32\shell32.dll+8d2bc|C:\Windows\System32\shell32.dll+8d00c|C:\Windows\System32\shell32.dll+114fd7|C:\Windows\System32\shell32.dll+114f35|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+33903a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+276811|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+acd828|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+271e5f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b56bc|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\7945c23890110f8cc8a334e3d6b99dac\Microsoft.Windows.ServerManager.Common.ni.dll+260(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\7945c23890110f8cc8a334e3d6b99dac\Microsoft.Windows.ServerManager.Common.ni.dll+260(wow64) 154100x8000000000000000602287Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:55.872{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\system32\rundll32.exe" C:\Windows\system32\iesetup.dll,IEShowHardeningDialogC:\Windows\system32\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 13241300x8000000000000000602317Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:14:58.874{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exeHKU\S-1-5-21-1839124484-365630122-3507043028-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809DWORD (0x00000000) 13241300x8000000000000000602316Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:14:58.874{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exeHKU\S-1-5-21-1839124484-365630122-3507043028-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206DWORD (0x00000003) 10341000x8000000000000000602315Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:58.639{5A2C5089-2CFA-6007-61A1-00000000A301}41646216C:\Windows\system32\csrss.exe{5A2C5089-2FB2-6007-1FA2-00000000A301}6504C:\Windows\SysWOW64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602314Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:58.639{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602313Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:58.639{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602312Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:58.639{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602311Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:58.639{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602310Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:58.639{5A2C5089-2FAF-6007-1EA2-00000000A301}45606448C:\Windows\system32\rundll32.exe{5A2C5089-2FB2-6007-1FA2-00000000A301}6504C:\Windows\SysWOW64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\iesetup.dll+20cb|C:\Windows\system32\iesetup.dll+2239|C:\Windows\system32\iesetup.dll+240e|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+115a5|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+4a57e|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5fa88|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\system32\iesetup.dll+2696|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000602309Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:58.646{5A2C5089-2FB2-6007-1FA2-00000000A301}6504C:\Windows\SysWOW64\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\SysWOW64\rundll32.exe" iesetup.dll,IEHardenMachineNow uC:\Windows\system32\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=A6ED2B5513A128315EC73A300D215759,SHA256=9980CC59993DCDE34A20411E3FACFEE8E7B159EE0D6FA510BCFAECC8532B4C02,IMPHASH=B79A26282DC6494FFDA9173E830DAB0A{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\System32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\iesetup.dll,IEShowHardeningDialog 13241300x8000000000000000602339Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:14:59.342{5A2C5089-2FB2-6007-1FA2-00000000A301}6504C:\Windows\SysWOW64\rundll32.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809DWORD (0x00000000) 13241300x8000000000000000602338Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:14:59.342{5A2C5089-2FB2-6007-20A2-00000000A301}6436C:\Windows\SysWOW64\rundll32.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809DWORD (0x00000000) 13241300x8000000000000000602337Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:14:59.342{5A2C5089-2FB2-6007-20A2-00000000A301}6436C:\Windows\SysWOW64\rundll32.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206DWORD (0x00000003) 13241300x8000000000000000602336Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:14:59.342{5A2C5089-2FB2-6007-1FA2-00000000A301}6504C:\Windows\SysWOW64\rundll32.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206DWORD (0x00000003) 10341000x8000000000000000602335Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:59.139{5A2C5089-ED5A-6001-1600-00000000A301}15363212C:\Windows\system32\svchost.exe{5A2C5089-2FB2-6007-1FA2-00000000A301}6504C:\Windows\SysWOW64\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602334Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:59.139{5A2C5089-ED5A-6001-1600-00000000A301}15361572C:\Windows\system32\svchost.exe{5A2C5089-2FB2-6007-1FA2-00000000A301}6504C:\Windows\SysWOW64\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602333Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:59.139{5A2C5089-ED5A-6001-1600-00000000A301}15363212C:\Windows\system32\svchost.exe{5A2C5089-2FB2-6007-20A2-00000000A301}6436C:\Windows\SysWOW64\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602332Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:59.139{5A2C5089-ED5A-6001-1600-00000000A301}15361572C:\Windows\system32\svchost.exe{5A2C5089-2FB2-6007-20A2-00000000A301}6436C:\Windows\SysWOW64\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602331Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:59.077{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602330Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:59.077{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602329Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:59.077{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602328Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:59.077{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602327Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:58.920{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602326Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:58.920{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602325Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:58.905{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602324Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:58.905{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602323Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:58.905{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602322Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:58.905{5A2C5089-2CFA-6007-61A1-00000000A301}41646216C:\Windows\system32\csrss.exe{5A2C5089-2FB2-6007-20A2-00000000A301}6436C:\Windows\SysWOW64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602321Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:58.905{5A2C5089-2FAF-6007-1EA2-00000000A301}45606448C:\Windows\system32\rundll32.exe{5A2C5089-2FB2-6007-20A2-00000000A301}6436C:\Windows\SysWOW64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\iesetup.dll+20cb|C:\Windows\system32\iesetup.dll+2782|C:\Windows\system32\iesetup.dll+2300|C:\Windows\system32\iesetup.dll+240e|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+115a5|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+4a57e|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5fa88|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\system32\iesetup.dll+2696|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000602320Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:14:58.914{5A2C5089-2FB2-6007-20A2-00000000A301}6436C:\Windows\SysWOW64\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\SysWOW64\rundll32.exe" iesetup.dll,IEHardenMachineNow uC:\Windows\system32\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=A6ED2B5513A128315EC73A300D215759,SHA256=9980CC59993DCDE34A20411E3FACFEE8E7B159EE0D6FA510BCFAECC8532B4C02,IMPHASH=B79A26282DC6494FFDA9173E830DAB0A{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\System32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\iesetup.dll,IEShowHardeningDialog 13241300x8000000000000000602319Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:14:58.905{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809DWORD (0x00000000) 13241300x8000000000000000602318Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:14:58.905{5A2C5089-2FAF-6007-1EA2-00000000A301}4560C:\Windows\system32\rundll32.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206DWORD (0x00000003) 10341000x8000000000000000602346Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:00.577{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2FA9-6007-17A2-00000000A301}6640C:\Windows\system32\ServerManager.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602345Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:00.467{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602344Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:00.467{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602343Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:00.452{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602342Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:00.452{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602341Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:00.452{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602340Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:00.452{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000602358Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localInvDBSetValue2021-01-19 19:15:01.987{5A2C5089-ED5A-6001-1200-00000000A301}1208C:\Windows\System32\svchost.exeHKU\S-1-5-21-1839124484-365630122-3507043028-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Internet Explorer\iexplore.exeBinary Data 12241200x8000000000000000602357Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localInvDBDeleteValue2021-01-19 19:15:01.987{5A2C5089-ED5A-6001-1200-00000000A301}1208C:\Windows\System32\svchost.exeHKU\S-1-5-21-1839124484-365630122-3507043028-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Internet Explorer\iexplore.exe 10341000x8000000000000000602356Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:01.987{5A2C5089-ED5A-6001-1200-00000000A301}12083864C:\Windows\System32\svchost.exe{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602355Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:01.987{5A2C5089-ED5A-6001-1200-00000000A301}12083864C:\Windows\System32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602354Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:01.971{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602353Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:01.971{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602352Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:01.971{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602351Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:01.971{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602350Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:01.971{5A2C5089-2CFA-6007-61A1-00000000A301}41646216C:\Windows\system32\csrss.exe{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602349Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:01.971{5A2C5089-2CFD-6007-76A1-00000000A301}22565768C:\Windows\Explorer.EXE{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+8fe71|C:\Windows\System32\SHELL32.dll+8ecd6|C:\Windows\System32\SHELL32.dll+cfbb1|C:\Windows\System32\SHELL32.dll+b5dbe|C:\Windows\System32\windows.storage.dll+2d1a2|C:\Windows\System32\windows.storage.dll+2ce99|C:\Windows\System32\windows.storage.dll+2cd6f|C:\Windows\System32\SHELL32.dll+cfc37|C:\Windows\System32\SHELL32.dll+b5dbe|C:\Windows\System32\SHLWAPI.dll+e1f7 154100x8000000000000000602348Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:01.967{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe11.00.14393.2007 (rs1_release.171231-1800)Internet ExplorerInternet ExplorerMicrosoft CorporationIEXPLORE.EXE"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=DED3D744D46A5CE7965CE2B75B54958A,SHA256=70C9616C026266BB3A1213BCC50E3A9A24238703FB7745746628D11163905D2F,IMPHASH=9BB01C801600CEBDCA166D0534E98CE6{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 13241300x8000000000000000602347Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:15:01.061{5A2C5089-ED5A-6001-1000-00000000A301}1168C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ee97-0x624bca7e) 10341000x8000000000000000602400Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.847{5A2C5089-ED5A-6001-1600-00000000A301}15363212C:\Windows\system32\svchost.exe{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602399Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.847{5A2C5089-ED5A-6001-1600-00000000A301}15361572C:\Windows\system32\svchost.exe{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602398Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.643{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602397Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.643{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602396Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.643{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602395Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.643{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602394Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.643{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602393Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.643{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602392Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.643{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602391Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.518{5A2C5089-2FB5-6007-21A2-00000000A301}54405388C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141977|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+5f954|C:\Windows\SYSTEM32\IEFRAME.dll+5f74d|C:\Windows\SYSTEM32\IEFRAME.dll+5f422|C:\Windows\SYSTEM32\IEFRAME.dll+5f177|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602390Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.518{5A2C5089-2FB5-6007-21A2-00000000A301}54405388C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1418e2|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+5f954|C:\Windows\SYSTEM32\IEFRAME.dll+5f74d|C:\Windows\SYSTEM32\IEFRAME.dll+5f422|C:\Windows\SYSTEM32\IEFRAME.dll+5f177|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602389Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.518{5A2C5089-2FB5-6007-21A2-00000000A301}54405388C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1418c7|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+5f954|C:\Windows\SYSTEM32\IEFRAME.dll+5f74d|C:\Windows\SYSTEM32\IEFRAME.dll+5f422|C:\Windows\SYSTEM32\IEFRAME.dll+5f177|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602388Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.518{5A2C5089-2FB5-6007-21A2-00000000A301}54405388C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1418c7|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+5f954|C:\Windows\SYSTEM32\IEFRAME.dll+5f74d|C:\Windows\SYSTEM32\IEFRAME.dll+5f422|C:\Windows\SYSTEM32\IEFRAME.dll+5f177|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602387Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.518{5A2C5089-2FB5-6007-21A2-00000000A301}54405388C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141977|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+5f954|C:\Windows\SYSTEM32\IEFRAME.dll+5f74d|C:\Windows\SYSTEM32\IEFRAME.dll+5f422|C:\Windows\SYSTEM32\IEFRAME.dll+5f177|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602386Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.518{5A2C5089-2FB5-6007-21A2-00000000A301}54405388C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1418e2|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+5f954|C:\Windows\SYSTEM32\IEFRAME.dll+5f74d|C:\Windows\SYSTEM32\IEFRAME.dll+5f422|C:\Windows\SYSTEM32\IEFRAME.dll+5f177|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602385Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.518{5A2C5089-2FB5-6007-21A2-00000000A301}54405388C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1418c7|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+5f954|C:\Windows\SYSTEM32\IEFRAME.dll+5f74d|C:\Windows\SYSTEM32\IEFRAME.dll+5f422|C:\Windows\SYSTEM32\IEFRAME.dll+5f177|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602384Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.518{5A2C5089-2FB5-6007-21A2-00000000A301}54405388C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1418c7|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+5f954|C:\Windows\SYSTEM32\IEFRAME.dll+5f74d|C:\Windows\SYSTEM32\IEFRAME.dll+5f422|C:\Windows\SYSTEM32\IEFRAME.dll+5f177|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602383Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.518{5A2C5089-2FB5-6007-21A2-00000000A301}54405388C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141977|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+5f954|C:\Windows\SYSTEM32\IEFRAME.dll+5f74d|C:\Windows\SYSTEM32\IEFRAME.dll+5f422|C:\Windows\SYSTEM32\IEFRAME.dll+5f177|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602382Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.518{5A2C5089-2FB5-6007-21A2-00000000A301}54405388C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1418e2|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+5f954|C:\Windows\SYSTEM32\IEFRAME.dll+5f74d|C:\Windows\SYSTEM32\IEFRAME.dll+5f422|C:\Windows\SYSTEM32\IEFRAME.dll+5f177|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602381Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.518{5A2C5089-2FB5-6007-21A2-00000000A301}54405388C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1418c7|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+5f954|C:\Windows\SYSTEM32\IEFRAME.dll+5f74d|C:\Windows\SYSTEM32\IEFRAME.dll+5f422|C:\Windows\SYSTEM32\IEFRAME.dll+5f177|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602380Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.518{5A2C5089-2FB5-6007-21A2-00000000A301}54405388C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1418c7|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+5f954|C:\Windows\SYSTEM32\IEFRAME.dll+5f74d|C:\Windows\SYSTEM32\IEFRAME.dll+5f422|C:\Windows\SYSTEM32\IEFRAME.dll+5f177|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602379Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.518{5A2C5089-2FB5-6007-21A2-00000000A301}54405388C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+170f46|C:\Windows\System32\windows.storage.dll+1411fc|C:\Windows\System32\windows.storage.dll+140fd8|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+5f954|C:\Windows\SYSTEM32\IEFRAME.dll+5f74d|C:\Windows\SYSTEM32\IEFRAME.dll+5f422|C:\Windows\SYSTEM32\IEFRAME.dll+5f177|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602378Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.518{5A2C5089-2FB5-6007-21A2-00000000A301}54405388C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+170f34|C:\Windows\System32\windows.storage.dll+1411fc|C:\Windows\System32\windows.storage.dll+140fd8|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+5f954|C:\Windows\SYSTEM32\IEFRAME.dll+5f74d|C:\Windows\SYSTEM32\IEFRAME.dll+5f422|C:\Windows\SYSTEM32\IEFRAME.dll+5f177|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602377Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.518{5A2C5089-2FB5-6007-21A2-00000000A301}54405388C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+170f34|C:\Windows\System32\windows.storage.dll+1411fc|C:\Windows\System32\windows.storage.dll+140fd8|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+5f954|C:\Windows\SYSTEM32\IEFRAME.dll+5f74d|C:\Windows\SYSTEM32\IEFRAME.dll+5f422|C:\Windows\SYSTEM32\IEFRAME.dll+5f177|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602376Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.503{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\iertutil.dll+36dd1|C:\Windows\SYSTEM32\iertutil.dll+36980|C:\Windows\SYSTEM32\iertutil.dll+34bac|C:\Windows\SYSTEM32\iertutil.dll+34f5f|C:\Windows\SYSTEM32\iertutil.dll+48078|C:\Windows\SYSTEM32\IEFRAME.dll+2bb302|C:\Windows\SYSTEM32\IEFRAME.dll+1174d|C:\Windows\SYSTEM32\IEFRAME.dll+129b8|C:\Windows\SYSTEM32\IEFRAME.dll+12c00|C:\Windows\SYSTEM32\IEFRAME.dll+13101|C:\Windows\SYSTEM32\IEFRAME.dll+2a8506|C:\Windows\SYSTEM32\IEFRAME.dll+152534|C:\Windows\SYSTEM32\IEFRAME.dll+14ab1|C:\Windows\SYSTEM32\IEFRAME.dll+1525bf|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602375Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.503{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602374Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.487{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602373Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.487{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602372Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.487{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602371Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.487{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602370Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.487{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\iertutil.dll+26f4c|C:\Windows\SYSTEM32\iertutil.dll+28043|C:\Windows\SYSTEM32\iertutil.dll+36911|C:\Windows\SYSTEM32\iertutil.dll+34bac|C:\Windows\SYSTEM32\iertutil.dll+34f5f|C:\Windows\SYSTEM32\iertutil.dll+48078|C:\Windows\SYSTEM32\IEFRAME.dll+2bb302|C:\Windows\SYSTEM32\IEFRAME.dll+1174d|C:\Windows\SYSTEM32\IEFRAME.dll+129b8|C:\Windows\SYSTEM32\IEFRAME.dll+12c00|C:\Windows\SYSTEM32\IEFRAME.dll+13101|C:\Windows\SYSTEM32\IEFRAME.dll+2a8506|C:\Windows\SYSTEM32\IEFRAME.dll+152534|C:\Windows\SYSTEM32\IEFRAME.dll+14ab1|C:\Windows\SYSTEM32\IEFRAME.dll+1525bf|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000602369Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.483{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\iexplore.exe11.00.14393.2007 (rs1_release.171231-1800)Internet ExplorerInternet ExplorerMicrosoft CorporationIEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5440 CREDAT:82945 /prefetch:2C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=7D930D55986DF5C69CF1A9C2DE7E33B3,SHA256=BEBB0D2229700C6A62B7811985061DC75F6279AB0FF8747C47CCADB6CC2CC462,IMPHASH=E7542C041AAD637F8E6918BBE235A488{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" 10341000x8000000000000000602368Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.472{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602367Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.456{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602366Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.409{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602365Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.409{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602364Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.362{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\IEFRAME.dll+15755|C:\Windows\SYSTEM32\IEFRAME.dll+156d3|C:\Windows\SYSTEM32\IEFRAME.dll+1564d|C:\Windows\SYSTEM32\IEFRAME.dll+1545e|C:\Windows\SYSTEM32\IEFRAME.dll+2a8230|C:\Windows\SYSTEM32\IEFRAME.dll+152534|C:\Windows\SYSTEM32\IEFRAME.dll+14ab1|C:\Windows\SYSTEM32\IEFRAME.dll+1525bf|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602363Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.347{5A2C5089-ED5A-6001-1600-00000000A301}15363212C:\Windows\system32\svchost.exe{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602362Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.347{5A2C5089-ED5A-6001-1600-00000000A301}15361572C:\Windows\system32\svchost.exe{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602361Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.018{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000602360Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.018{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+2945b|C:\Windows\System32\combase.dll+2a962|C:\Windows\System32\combase.dll+4fcf3|C:\Windows\System32\combase.dll+2ab6d|C:\Windows\System32\combase.dll+4e03f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000602359Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:02.003{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7 10341000x8000000000000000602426Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.925{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\system32\explorerframe.dll+154e|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+6885|C:\Windows\SYSTEM32\IEFRAME.dll+62cf|C:\Windows\SYSTEM32\IEFRAME.dll+601d|C:\Windows\SYSTEM32\IEFRAME.dll+832f|C:\Windows\SYSTEM32\IEFRAME.dll+e5166|C:\Windows\SYSTEM32\IEFRAME.dll+57e1f|C:\Windows\SYSTEM32\IEFRAME.dll+57d00|C:\Windows\SYSTEM32\IEFRAME.dll+5484c|C:\Windows\SYSTEM32\IEFRAME.dll+52b91|C:\Windows\SYSTEM32\IEFRAME.dll+612b8|C:\Windows\SYSTEM32\IEFRAME.dll+60a95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+2ea96|C:\Windows\System32\USER32.dll+2e813 10341000x8000000000000000602425Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.925{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+6885|C:\Windows\SYSTEM32\IEFRAME.dll+62cf|C:\Windows\SYSTEM32\IEFRAME.dll+601d|C:\Windows\SYSTEM32\IEFRAME.dll+832f|C:\Windows\SYSTEM32\IEFRAME.dll+e5166|C:\Windows\SYSTEM32\IEFRAME.dll+57e1f|C:\Windows\SYSTEM32\IEFRAME.dll+57d00|C:\Windows\SYSTEM32\IEFRAME.dll+5484c|C:\Windows\SYSTEM32\IEFRAME.dll+52b91|C:\Windows\SYSTEM32\IEFRAME.dll+612b8|C:\Windows\SYSTEM32\IEFRAME.dll+60a95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+2ea96 10341000x8000000000000000602424Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.925{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+6885|C:\Windows\SYSTEM32\IEFRAME.dll+62cf|C:\Windows\SYSTEM32\IEFRAME.dll+601d|C:\Windows\SYSTEM32\IEFRAME.dll+832f|C:\Windows\SYSTEM32\IEFRAME.dll+e5166|C:\Windows\SYSTEM32\IEFRAME.dll+57e1f|C:\Windows\SYSTEM32\IEFRAME.dll+57d00|C:\Windows\SYSTEM32\IEFRAME.dll+5484c|C:\Windows\SYSTEM32\IEFRAME.dll+52b91|C:\Windows\SYSTEM32\IEFRAME.dll+612b8|C:\Windows\SYSTEM32\IEFRAME.dll+60a95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+2ea96|C:\Windows\System32\USER32.dll+2e813 10341000x8000000000000000602423Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.925{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602422Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.925{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602421Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.862{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602420Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.862{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602419Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.862{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+d1597|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7EE26)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\SYSTEM32\IEUI.dll+54ab|C:\Windows\SYSTEM32\IEFRAME.dll+d9383|C:\Windows\SYSTEM32\IEFRAME.dll+1196f|C:\Windows\SYSTEM32\IEFRAME.dll+129b8 10341000x8000000000000000602418Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.847{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602417Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.847{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602416Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.847{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602415Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.847{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602414Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.847{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+d141d|C:\Windows\System32\SHELL32.dll+d1ac3|C:\Windows\System32\SHELL32.dll+d19f4|C:\Windows\System32\SHELL32.dll+d12a2|C:\Windows\SYSTEM32\IEFRAME.dll+11dd18|C:\Windows\SYSTEM32\IEFRAME.dll+d77d2|C:\Windows\SYSTEM32\IEFRAME.dll+d9f4e|C:\Windows\SYSTEM32\IEFRAME.dll+da7d4|C:\Windows\SYSTEM32\IEFRAME.dll+6851e|C:\Windows\SYSTEM32\IEFRAME.dll+de9b1|C:\Windows\SYSTEM32\IEFRAME.dll+d0abd|C:\Windows\SYSTEM32\IEFRAME.dll+d1939|C:\Windows\SYSTEM32\IEFRAME.dll+d1e22|C:\Windows\SYSTEM32\IEFRAME.dll+ceef8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32b2d|C:\Windows\SYSTEM32\IEFRAME.dll+d970b|C:\Windows\SYSTEM32\IEFRAME.dll+1196f|C:\Windows\SYSTEM32\IEFRAME.dll+129b8 10341000x8000000000000000602413Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.847{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+d1399|C:\Windows\System32\SHELL32.dll+d1ac3|C:\Windows\System32\SHELL32.dll+d19f4|C:\Windows\System32\SHELL32.dll+d12a2|C:\Windows\SYSTEM32\IEFRAME.dll+11dd18|C:\Windows\SYSTEM32\IEFRAME.dll+d77d2|C:\Windows\SYSTEM32\IEFRAME.dll+d9f4e|C:\Windows\SYSTEM32\IEFRAME.dll+da7d4|C:\Windows\SYSTEM32\IEFRAME.dll+6851e|C:\Windows\SYSTEM32\IEFRAME.dll+de9b1|C:\Windows\SYSTEM32\IEFRAME.dll+d0abd|C:\Windows\SYSTEM32\IEFRAME.dll+d1939|C:\Windows\SYSTEM32\IEFRAME.dll+d1e22|C:\Windows\SYSTEM32\IEFRAME.dll+ceef8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32b2d|C:\Windows\SYSTEM32\IEFRAME.dll+d970b|C:\Windows\SYSTEM32\IEFRAME.dll+1196f|C:\Windows\SYSTEM32\IEFRAME.dll+129b8 10341000x8000000000000000602412Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.847{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d137d|C:\Windows\System32\SHELL32.dll+d1ac3|C:\Windows\System32\SHELL32.dll+d19f4|C:\Windows\System32\SHELL32.dll+d12a2|C:\Windows\SYSTEM32\IEFRAME.dll+11dd18|C:\Windows\SYSTEM32\IEFRAME.dll+d77d2|C:\Windows\SYSTEM32\IEFRAME.dll+d9f4e|C:\Windows\SYSTEM32\IEFRAME.dll+da7d4|C:\Windows\SYSTEM32\IEFRAME.dll+6851e|C:\Windows\SYSTEM32\IEFRAME.dll+de9b1|C:\Windows\SYSTEM32\IEFRAME.dll+d0abd|C:\Windows\SYSTEM32\IEFRAME.dll+d1939|C:\Windows\SYSTEM32\IEFRAME.dll+d1e22|C:\Windows\SYSTEM32\IEFRAME.dll+ceef8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000602411Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.847{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d137d|C:\Windows\System32\SHELL32.dll+d1ac3|C:\Windows\System32\SHELL32.dll+d19f4|C:\Windows\System32\SHELL32.dll+d12a2|C:\Windows\SYSTEM32\IEFRAME.dll+11dd18|C:\Windows\SYSTEM32\IEFRAME.dll+d77d2|C:\Windows\SYSTEM32\IEFRAME.dll+d9f4e|C:\Windows\SYSTEM32\IEFRAME.dll+da7d4|C:\Windows\SYSTEM32\IEFRAME.dll+6851e|C:\Windows\SYSTEM32\IEFRAME.dll+de9b1|C:\Windows\SYSTEM32\IEFRAME.dll+d0abd|C:\Windows\SYSTEM32\IEFRAME.dll+d1939|C:\Windows\SYSTEM32\IEFRAME.dll+d1e22|C:\Windows\SYSTEM32\IEFRAME.dll+ceef8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32b2d 10341000x8000000000000000602410Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.737{5A2C5089-ED5A-6001-1000-00000000A301}11681856C:\Windows\system32\svchost.exe{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602409Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.722{5A2C5089-ED5A-6001-1000-00000000A301}11681856C:\Windows\system32\svchost.exe{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602408Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.659{5A2C5089-ED5A-6001-1000-00000000A301}11681856C:\Windows\system32\svchost.exe{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602407Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.550{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\system32\explorerframe.dll+154e|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+d018a|C:\Windows\SYSTEM32\IEFRAME.dll+d1649|C:\Windows\SYSTEM32\IEFRAME.dll+d1e22|C:\Windows\SYSTEM32\IEFRAME.dll+ceef8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32b2d|C:\Windows\SYSTEM32\IEFRAME.dll+d970b|C:\Windows\SYSTEM32\IEFRAME.dll+1196f|C:\Windows\SYSTEM32\IEFRAME.dll+129b8|C:\Windows\SYSTEM32\IEFRAME.dll+12c00|C:\Windows\SYSTEM32\IEFRAME.dll+13101|C:\Windows\SYSTEM32\IEFRAME.dll+2a8506|C:\Windows\SYSTEM32\IEFRAME.dll+152534|C:\Windows\SYSTEM32\IEFRAME.dll+14ab1 10341000x8000000000000000602406Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.550{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+d018a|C:\Windows\SYSTEM32\IEFRAME.dll+d1649|C:\Windows\SYSTEM32\IEFRAME.dll+d1e22|C:\Windows\SYSTEM32\IEFRAME.dll+ceef8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32b2d|C:\Windows\SYSTEM32\IEFRAME.dll+d970b|C:\Windows\SYSTEM32\IEFRAME.dll+1196f|C:\Windows\SYSTEM32\IEFRAME.dll+129b8|C:\Windows\SYSTEM32\IEFRAME.dll+12c00|C:\Windows\SYSTEM32\IEFRAME.dll+13101|C:\Windows\SYSTEM32\IEFRAME.dll+2a8506|C:\Windows\SYSTEM32\IEFRAME.dll+152534 10341000x8000000000000000602405Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.550{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+d018a|C:\Windows\SYSTEM32\IEFRAME.dll+d1649|C:\Windows\SYSTEM32\IEFRAME.dll+d1e22|C:\Windows\SYSTEM32\IEFRAME.dll+ceef8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32b2d|C:\Windows\SYSTEM32\IEFRAME.dll+d970b|C:\Windows\SYSTEM32\IEFRAME.dll+1196f|C:\Windows\SYSTEM32\IEFRAME.dll+129b8|C:\Windows\SYSTEM32\IEFRAME.dll+12c00|C:\Windows\SYSTEM32\IEFRAME.dll+13101|C:\Windows\SYSTEM32\IEFRAME.dll+2a8506|C:\Windows\SYSTEM32\IEFRAME.dll+152534|C:\Windows\SYSTEM32\IEFRAME.dll+14ab1 10341000x8000000000000000602404Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.300{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602403Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.268{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602402Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.222{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602401Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:03.222{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602429Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:05.300{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602428Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:05.300{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602427Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:05.300{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602431Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:06.237{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602430Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:06.237{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602439Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:08.346{5A2C5089-2FB5-6007-21A2-00000000A301}54405348C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141977|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+1a6fd|C:\Windows\SYSTEM32\IEFRAME.dll+188bf|C:\Windows\SYSTEM32\IEFRAME.dll+3a601|C:\Windows\SYSTEM32\IEFRAME.dll+3ae25|C:\Windows\SYSTEM32\IEFRAME.dll+f9a06|C:\Windows\SYSTEM32\IEFRAME.dll+f93df|C:\Windows\SYSTEM32\IEFRAME.dll+f92e1|C:\Windows\SYSTEM32\IEFRAME.dll+f9104|C:\Windows\SYSTEM32\IEFRAME.dll+f9061|C:\Windows\SYSTEM32\IEFRAME.dll+3f8de|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602438Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:08.346{5A2C5089-2FB5-6007-21A2-00000000A301}54405348C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1418e2|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+1a6fd|C:\Windows\SYSTEM32\IEFRAME.dll+188bf|C:\Windows\SYSTEM32\IEFRAME.dll+3a601|C:\Windows\SYSTEM32\IEFRAME.dll+3ae25|C:\Windows\SYSTEM32\IEFRAME.dll+f9a06|C:\Windows\SYSTEM32\IEFRAME.dll+f93df|C:\Windows\SYSTEM32\IEFRAME.dll+f92e1|C:\Windows\SYSTEM32\IEFRAME.dll+f9104|C:\Windows\SYSTEM32\IEFRAME.dll+f9061|C:\Windows\SYSTEM32\IEFRAME.dll+3f8de|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602437Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:08.346{5A2C5089-2FB5-6007-21A2-00000000A301}54405348C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1418c7|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+1a6fd|C:\Windows\SYSTEM32\IEFRAME.dll+188bf|C:\Windows\SYSTEM32\IEFRAME.dll+3a601|C:\Windows\SYSTEM32\IEFRAME.dll+3ae25|C:\Windows\SYSTEM32\IEFRAME.dll+f9a06|C:\Windows\SYSTEM32\IEFRAME.dll+f93df|C:\Windows\SYSTEM32\IEFRAME.dll+f92e1|C:\Windows\SYSTEM32\IEFRAME.dll+f9104|C:\Windows\SYSTEM32\IEFRAME.dll+f9061|C:\Windows\SYSTEM32\IEFRAME.dll+3f8de|C:\Windows\SYSTEM32\ntdll.dll+39d09 10341000x8000000000000000602436Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:08.346{5A2C5089-2FB5-6007-21A2-00000000A301}54405348C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1418c7|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+1a6fd|C:\Windows\SYSTEM32\IEFRAME.dll+188bf|C:\Windows\SYSTEM32\IEFRAME.dll+3a601|C:\Windows\SYSTEM32\IEFRAME.dll+3ae25|C:\Windows\SYSTEM32\IEFRAME.dll+f9a06|C:\Windows\SYSTEM32\IEFRAME.dll+f93df|C:\Windows\SYSTEM32\IEFRAME.dll+f92e1|C:\Windows\SYSTEM32\IEFRAME.dll+f9104|C:\Windows\SYSTEM32\IEFRAME.dll+f9061|C:\Windows\SYSTEM32\IEFRAME.dll+3f8de|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a 10341000x8000000000000000602435Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:08.346{5A2C5089-2FB5-6007-21A2-00000000A301}54405348C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141977|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+1a6fd|C:\Windows\SYSTEM32\IEFRAME.dll+188bf|C:\Windows\SYSTEM32\IEFRAME.dll+3a601|C:\Windows\SYSTEM32\IEFRAME.dll+3ae25|C:\Windows\SYSTEM32\IEFRAME.dll+f9a06|C:\Windows\SYSTEM32\IEFRAME.dll+f93df|C:\Windows\SYSTEM32\IEFRAME.dll+f92e1|C:\Windows\SYSTEM32\IEFRAME.dll+f9104|C:\Windows\SYSTEM32\IEFRAME.dll+f9061|C:\Windows\SYSTEM32\IEFRAME.dll+3f8de|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602434Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:08.346{5A2C5089-2FB5-6007-21A2-00000000A301}54405348C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1418e2|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+1a6fd|C:\Windows\SYSTEM32\IEFRAME.dll+188bf|C:\Windows\SYSTEM32\IEFRAME.dll+3a601|C:\Windows\SYSTEM32\IEFRAME.dll+3ae25|C:\Windows\SYSTEM32\IEFRAME.dll+f9a06|C:\Windows\SYSTEM32\IEFRAME.dll+f93df|C:\Windows\SYSTEM32\IEFRAME.dll+f92e1|C:\Windows\SYSTEM32\IEFRAME.dll+f9104|C:\Windows\SYSTEM32\IEFRAME.dll+f9061|C:\Windows\SYSTEM32\IEFRAME.dll+3f8de|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602433Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:08.346{5A2C5089-2FB5-6007-21A2-00000000A301}54405348C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1418c7|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+1a6fd|C:\Windows\SYSTEM32\IEFRAME.dll+188bf|C:\Windows\SYSTEM32\IEFRAME.dll+3a601|C:\Windows\SYSTEM32\IEFRAME.dll+3ae25|C:\Windows\SYSTEM32\IEFRAME.dll+f9a06|C:\Windows\SYSTEM32\IEFRAME.dll+f93df|C:\Windows\SYSTEM32\IEFRAME.dll+f92e1|C:\Windows\SYSTEM32\IEFRAME.dll+f9104|C:\Windows\SYSTEM32\IEFRAME.dll+f9061|C:\Windows\SYSTEM32\IEFRAME.dll+3f8de|C:\Windows\SYSTEM32\ntdll.dll+39d09 10341000x8000000000000000602432Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:08.346{5A2C5089-2FB5-6007-21A2-00000000A301}54405348C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1418c7|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+1a6fd|C:\Windows\SYSTEM32\IEFRAME.dll+188bf|C:\Windows\SYSTEM32\IEFRAME.dll+3a601|C:\Windows\SYSTEM32\IEFRAME.dll+3ae25|C:\Windows\SYSTEM32\IEFRAME.dll+f9a06|C:\Windows\SYSTEM32\IEFRAME.dll+f93df|C:\Windows\SYSTEM32\IEFRAME.dll+f92e1|C:\Windows\SYSTEM32\IEFRAME.dll+f9104|C:\Windows\SYSTEM32\IEFRAME.dll+f9061|C:\Windows\SYSTEM32\IEFRAME.dll+3f8de|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a 10341000x8000000000000000602448Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:09.674{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602447Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:09.628{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\system32\explorerframe.dll+154e|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+6885|C:\Windows\SYSTEM32\IEFRAME.dll+62cf|C:\Windows\SYSTEM32\IEFRAME.dll+601d|C:\Windows\SYSTEM32\IEFRAME.dll+832f|C:\Windows\SYSTEM32\IEFRAME.dll+e5166|C:\Windows\SYSTEM32\IEFRAME.dll+57e1f|C:\Windows\SYSTEM32\IEFRAME.dll+57d00|C:\Windows\SYSTEM32\IEFRAME.dll+5484c|C:\Windows\SYSTEM32\IEFRAME.dll+52b91|C:\Windows\SYSTEM32\IEFRAME.dll+612b8|C:\Windows\SYSTEM32\IEFRAME.dll+60a95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\IEFRAME.dll+d96fc|C:\Windows\SYSTEM32\IEFRAME.dll+1196f 10341000x8000000000000000602446Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:09.628{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+6885|C:\Windows\SYSTEM32\IEFRAME.dll+62cf|C:\Windows\SYSTEM32\IEFRAME.dll+601d|C:\Windows\SYSTEM32\IEFRAME.dll+832f|C:\Windows\SYSTEM32\IEFRAME.dll+e5166|C:\Windows\SYSTEM32\IEFRAME.dll+57e1f|C:\Windows\SYSTEM32\IEFRAME.dll+57d00|C:\Windows\SYSTEM32\IEFRAME.dll+5484c|C:\Windows\SYSTEM32\IEFRAME.dll+52b91|C:\Windows\SYSTEM32\IEFRAME.dll+612b8|C:\Windows\SYSTEM32\IEFRAME.dll+60a95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\IEFRAME.dll+d96fc 10341000x8000000000000000602445Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:09.628{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+6885|C:\Windows\SYSTEM32\IEFRAME.dll+62cf|C:\Windows\SYSTEM32\IEFRAME.dll+601d|C:\Windows\SYSTEM32\IEFRAME.dll+832f|C:\Windows\SYSTEM32\IEFRAME.dll+e5166|C:\Windows\SYSTEM32\IEFRAME.dll+57e1f|C:\Windows\SYSTEM32\IEFRAME.dll+57d00|C:\Windows\SYSTEM32\IEFRAME.dll+5484c|C:\Windows\SYSTEM32\IEFRAME.dll+52b91|C:\Windows\SYSTEM32\IEFRAME.dll+612b8|C:\Windows\SYSTEM32\IEFRAME.dll+60a95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\IEFRAME.dll+d96fc|C:\Windows\SYSTEM32\IEFRAME.dll+1196f 10341000x8000000000000000602444Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:09.628{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\system32\explorerframe.dll+154e|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+6885|C:\Windows\SYSTEM32\IEFRAME.dll+62cf|C:\Windows\SYSTEM32\IEFRAME.dll+601d|C:\Windows\SYSTEM32\IEFRAME.dll+7dbc|C:\Windows\SYSTEM32\IEFRAME.dll+e51a1|C:\Windows\SYSTEM32\IEFRAME.dll+57e1f|C:\Windows\SYSTEM32\IEFRAME.dll+57d00|C:\Windows\SYSTEM32\IEFRAME.dll+5484c|C:\Windows\SYSTEM32\IEFRAME.dll+52b91|C:\Windows\SYSTEM32\IEFRAME.dll+612b8|C:\Windows\SYSTEM32\IEFRAME.dll+60a95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\IEFRAME.dll+d96fc|C:\Windows\SYSTEM32\IEFRAME.dll+1196f 10341000x8000000000000000602443Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:09.628{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+6885|C:\Windows\SYSTEM32\IEFRAME.dll+62cf|C:\Windows\SYSTEM32\IEFRAME.dll+601d|C:\Windows\SYSTEM32\IEFRAME.dll+7dbc|C:\Windows\SYSTEM32\IEFRAME.dll+e51a1|C:\Windows\SYSTEM32\IEFRAME.dll+57e1f|C:\Windows\SYSTEM32\IEFRAME.dll+57d00|C:\Windows\SYSTEM32\IEFRAME.dll+5484c|C:\Windows\SYSTEM32\IEFRAME.dll+52b91|C:\Windows\SYSTEM32\IEFRAME.dll+612b8|C:\Windows\SYSTEM32\IEFRAME.dll+60a95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\IEFRAME.dll+d96fc 10341000x8000000000000000602442Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:09.628{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+6885|C:\Windows\SYSTEM32\IEFRAME.dll+62cf|C:\Windows\SYSTEM32\IEFRAME.dll+601d|C:\Windows\SYSTEM32\IEFRAME.dll+7dbc|C:\Windows\SYSTEM32\IEFRAME.dll+e51a1|C:\Windows\SYSTEM32\IEFRAME.dll+57e1f|C:\Windows\SYSTEM32\IEFRAME.dll+57d00|C:\Windows\SYSTEM32\IEFRAME.dll+5484c|C:\Windows\SYSTEM32\IEFRAME.dll+52b91|C:\Windows\SYSTEM32\IEFRAME.dll+612b8|C:\Windows\SYSTEM32\IEFRAME.dll+60a95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\IEFRAME.dll+d96fc|C:\Windows\SYSTEM32\IEFRAME.dll+1196f 10341000x8000000000000000602441Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:09.612{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602440Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:09.612{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602450Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:10.596{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602449Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:10.596{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FB5-6007-21A2-00000000A301}5440C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602495Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.159{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1928d9(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c61ff(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5faa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc58c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+135b29(wow64) 10341000x8000000000000000602494Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.159{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19285a(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c61ff(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5faa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc58c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+135b29(wow64) 10341000x8000000000000000602493Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.159{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+192845(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c61ff(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5faa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64) 10341000x8000000000000000602492Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.159{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+192845(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c61ff(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5faa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64) 10341000x8000000000000000602491Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1928d9(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c61b3(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5faa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc58c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+135b29(wow64) 10341000x8000000000000000602490Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19285a(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c61b3(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5faa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc58c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+135b29(wow64) 10341000x8000000000000000602489Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+192845(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c61b3(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5faa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64) 10341000x8000000000000000602488Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+192845(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c61b3(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5faa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64) 10341000x8000000000000000602487Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1928d9(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5f8f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc58c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+135b29(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13603d(wow64) 10341000x8000000000000000602486Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19285a(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5f8f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc58c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+135b29(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13603d(wow64) 10341000x8000000000000000602485Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+192845(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5f8f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64) 10341000x8000000000000000602484Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+192845(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5f8f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64) 10341000x8000000000000000602483Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1928d9(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5f58(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc58c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+135b29(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13603d(wow64) 10341000x8000000000000000602482Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19285a(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5f58(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc58c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+135b29(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13603d(wow64) 10341000x8000000000000000602481Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+192845(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5f58(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64) 10341000x8000000000000000602480Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+192845(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5f58(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64) 10341000x8000000000000000602479Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1928d9(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5f23(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc58c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+135b29(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13603d(wow64) 10341000x8000000000000000602478Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19285a(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5f23(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc58c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+135b29(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13603d(wow64) 10341000x8000000000000000602477Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+192845(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5f23(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64) 10341000x8000000000000000602476Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+192845(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5f23(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5a78(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64) 10341000x8000000000000000602475Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1928d9(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c6173(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5650(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+204f32(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5314(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59a4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc58c(wow64) 10341000x8000000000000000602474Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19285a(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c6173(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5650(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+204f32(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5314(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59a4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc58c(wow64) 10341000x8000000000000000602473Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+192845(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c6173(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5650(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+204f32(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5314(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59a4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64) 10341000x8000000000000000602472Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+192845(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c6173(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5650(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+204f32(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5314(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59a4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64) 10341000x8000000000000000602471Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1928d9(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c60b7(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5650(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+204f32(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5314(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59a4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc58c(wow64) 10341000x8000000000000000602470Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19285a(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c60b7(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5650(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+204f32(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5314(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59a4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc58c(wow64) 10341000x8000000000000000602469Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+192845(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c60b7(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5650(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+204f32(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5314(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59a4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64) 10341000x8000000000000000602468Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+192845(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c60b7(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5650(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+204f32(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5314(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59a4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64) 10341000x8000000000000000602467Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1928d9(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c60b7(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5c04(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c53ab(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59a4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc58c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+135b29(wow64) 10341000x8000000000000000602466Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19285a(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c60b7(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5c04(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c53ab(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59a4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc58c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+135b29(wow64) 10341000x8000000000000000602465Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+192845(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c60b7(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5c04(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c53ab(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59a4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64) 10341000x8000000000000000602464Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+192845(wow64)|C:\Windows\System32\SHELL32.dll+1923ec(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c60b7(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5c04(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c53ab(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59a4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64) 10341000x8000000000000000602463Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\SHELL32.dll+128d10(wow64)|C:\Windows\System32\SHELL32.dll+19251f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c60b7(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5c04(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c53ab(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59a4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc746(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+bc58c(wow64) 10341000x8000000000000000602462Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+128d02(wow64)|C:\Windows\System32\SHELL32.dll+19251f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c60b7(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5c04(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c53ab(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59a4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64) 10341000x8000000000000000602461Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.143{5A2C5089-2FB6-6007-22A2-00000000A301}9481112C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+128d02(wow64)|C:\Windows\System32\SHELL32.dll+19251f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c60b7(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c5c04(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c53ab(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+c59a4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114d8a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+114b56(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+113bba(wow64) 10341000x8000000000000000602460Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.112{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\system32\explorerframe.dll+154e|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+6885|C:\Windows\SYSTEM32\IEFRAME.dll+62cf|C:\Windows\SYSTEM32\IEFRAME.dll+601d|C:\Windows\SYSTEM32\IEFRAME.dll+832f|C:\Windows\SYSTEM32\IEFRAME.dll+e5166|C:\Windows\SYSTEM32\IEFRAME.dll+57e1f|C:\Windows\SYSTEM32\IEFRAME.dll+57d00|C:\Windows\SYSTEM32\IEFRAME.dll+5484c|C:\Windows\SYSTEM32\IEFRAME.dll+52b91|C:\Windows\SYSTEM32\IEFRAME.dll+612b8|C:\Windows\SYSTEM32\IEFRAME.dll+60a95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\IEFRAME.dll+d96fc|C:\Windows\SYSTEM32\IEFRAME.dll+1196f 10341000x8000000000000000602459Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.112{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+6885|C:\Windows\SYSTEM32\IEFRAME.dll+62cf|C:\Windows\SYSTEM32\IEFRAME.dll+601d|C:\Windows\SYSTEM32\IEFRAME.dll+832f|C:\Windows\SYSTEM32\IEFRAME.dll+e5166|C:\Windows\SYSTEM32\IEFRAME.dll+57e1f|C:\Windows\SYSTEM32\IEFRAME.dll+57d00|C:\Windows\SYSTEM32\IEFRAME.dll+5484c|C:\Windows\SYSTEM32\IEFRAME.dll+52b91|C:\Windows\SYSTEM32\IEFRAME.dll+612b8|C:\Windows\SYSTEM32\IEFRAME.dll+60a95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\IEFRAME.dll+d96fc 10341000x8000000000000000602458Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.112{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+6885|C:\Windows\SYSTEM32\IEFRAME.dll+62cf|C:\Windows\SYSTEM32\IEFRAME.dll+601d|C:\Windows\SYSTEM32\IEFRAME.dll+832f|C:\Windows\SYSTEM32\IEFRAME.dll+e5166|C:\Windows\SYSTEM32\IEFRAME.dll+57e1f|C:\Windows\SYSTEM32\IEFRAME.dll+57d00|C:\Windows\SYSTEM32\IEFRAME.dll+5484c|C:\Windows\SYSTEM32\IEFRAME.dll+52b91|C:\Windows\SYSTEM32\IEFRAME.dll+612b8|C:\Windows\SYSTEM32\IEFRAME.dll+60a95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\IEFRAME.dll+d96fc|C:\Windows\SYSTEM32\IEFRAME.dll+1196f 10341000x8000000000000000602457Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.112{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\system32\explorerframe.dll+154e|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+6885|C:\Windows\SYSTEM32\IEFRAME.dll+62cf|C:\Windows\SYSTEM32\IEFRAME.dll+601d|C:\Windows\SYSTEM32\IEFRAME.dll+7dbc|C:\Windows\SYSTEM32\IEFRAME.dll+e51a1|C:\Windows\SYSTEM32\IEFRAME.dll+57e1f|C:\Windows\SYSTEM32\IEFRAME.dll+57d00|C:\Windows\SYSTEM32\IEFRAME.dll+5484c|C:\Windows\SYSTEM32\IEFRAME.dll+52b91|C:\Windows\SYSTEM32\IEFRAME.dll+612b8|C:\Windows\SYSTEM32\IEFRAME.dll+60a95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\IEFRAME.dll+d96fc|C:\Windows\SYSTEM32\IEFRAME.dll+1196f 10341000x8000000000000000602456Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.112{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+6885|C:\Windows\SYSTEM32\IEFRAME.dll+62cf|C:\Windows\SYSTEM32\IEFRAME.dll+601d|C:\Windows\SYSTEM32\IEFRAME.dll+7dbc|C:\Windows\SYSTEM32\IEFRAME.dll+e51a1|C:\Windows\SYSTEM32\IEFRAME.dll+57e1f|C:\Windows\SYSTEM32\IEFRAME.dll+57d00|C:\Windows\SYSTEM32\IEFRAME.dll+5484c|C:\Windows\SYSTEM32\IEFRAME.dll+52b91|C:\Windows\SYSTEM32\IEFRAME.dll+612b8|C:\Windows\SYSTEM32\IEFRAME.dll+60a95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\IEFRAME.dll+d96fc 10341000x8000000000000000602455Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.112{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+6885|C:\Windows\SYSTEM32\IEFRAME.dll+62cf|C:\Windows\SYSTEM32\IEFRAME.dll+601d|C:\Windows\SYSTEM32\IEFRAME.dll+7dbc|C:\Windows\SYSTEM32\IEFRAME.dll+e51a1|C:\Windows\SYSTEM32\IEFRAME.dll+57e1f|C:\Windows\SYSTEM32\IEFRAME.dll+57d00|C:\Windows\SYSTEM32\IEFRAME.dll+5484c|C:\Windows\SYSTEM32\IEFRAME.dll+52b91|C:\Windows\SYSTEM32\IEFRAME.dll+612b8|C:\Windows\SYSTEM32\IEFRAME.dll+60a95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\IEFRAME.dll+d96fc|C:\Windows\SYSTEM32\IEFRAME.dll+1196f 10341000x8000000000000000602454Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.096{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602453Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.096{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000602452Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.096{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\YIULYNLV\Invoke-ExecuteMSBuild[1].txt2021-01-19 19:15:12.096 11241100x8000000000000000602451Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:12.096{5A2C5089-2FB6-6007-22A2-00000000A301}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\YIULYNLV\Invoke-ExecuteMSBuild[1].ps12021-01-19 19:15:12.096 22542200x8000000000000000602496Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:14.235{5A2C5089-2FB6-6007-22A2-00000000A301}948raw.githubusercontent.com0type: 5 github.map.fastly.net;::ffff:151.101.52.133;C:\Program Files (x86)\Internet Explorer\iexplore.exe 10341000x8000000000000000602509Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:15.752{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\system32\explorerframe.dll+154e|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+6885|C:\Windows\SYSTEM32\IEFRAME.dll+62cf|C:\Windows\SYSTEM32\IEFRAME.dll+601d|C:\Windows\SYSTEM32\IEFRAME.dll+7dbc|C:\Windows\SYSTEM32\IEFRAME.dll+e51a1|C:\Windows\SYSTEM32\IEFRAME.dll+57e1f|C:\Windows\SYSTEM32\IEFRAME.dll+57d00|C:\Windows\SYSTEM32\IEFRAME.dll+5484c|C:\Windows\SYSTEM32\IEFRAME.dll+52b91|C:\Windows\SYSTEM32\IEFRAME.dll+612b8|C:\Windows\SYSTEM32\IEFRAME.dll+60a95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\IEFRAME.dll+d96fc|C:\Windows\SYSTEM32\IEFRAME.dll+1196f 10341000x8000000000000000602508Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:15.752{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+6885|C:\Windows\SYSTEM32\IEFRAME.dll+62cf|C:\Windows\SYSTEM32\IEFRAME.dll+601d|C:\Windows\SYSTEM32\IEFRAME.dll+7dbc|C:\Windows\SYSTEM32\IEFRAME.dll+e51a1|C:\Windows\SYSTEM32\IEFRAME.dll+57e1f|C:\Windows\SYSTEM32\IEFRAME.dll+57d00|C:\Windows\SYSTEM32\IEFRAME.dll+5484c|C:\Windows\SYSTEM32\IEFRAME.dll+52b91|C:\Windows\SYSTEM32\IEFRAME.dll+612b8|C:\Windows\SYSTEM32\IEFRAME.dll+60a95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\IEFRAME.dll+d96fc 10341000x8000000000000000602507Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:15.752{5A2C5089-2FB5-6007-21A2-00000000A301}54405548C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+6dbf2|C:\Windows\SYSTEM32\IEFRAME.dll+6885|C:\Windows\SYSTEM32\IEFRAME.dll+62cf|C:\Windows\SYSTEM32\IEFRAME.dll+601d|C:\Windows\SYSTEM32\IEFRAME.dll+7dbc|C:\Windows\SYSTEM32\IEFRAME.dll+e51a1|C:\Windows\SYSTEM32\IEFRAME.dll+57e1f|C:\Windows\SYSTEM32\IEFRAME.dll+57d00|C:\Windows\SYSTEM32\IEFRAME.dll+5484c|C:\Windows\SYSTEM32\IEFRAME.dll+52b91|C:\Windows\SYSTEM32\IEFRAME.dll+612b8|C:\Windows\SYSTEM32\IEFRAME.dll+60a95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\IEFRAME.dll+d96fc|C:\Windows\SYSTEM32\IEFRAME.dll+1196f 10341000x8000000000000000602506Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:15.752{5A2C5089-2FB5-6007-21A2-00000000A301}54404260C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141977|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+32707|C:\Windows\SYSTEM32\IEFRAME.dll+5f954|C:\Windows\SYSTEM32\IEFRAME.dll+5f74d|C:\Windows\SYSTEM32\IEFRAME.dll+5f422|C:\Windows\SYSTEM32\IEFRAME.dll+5f177|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602505Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:15.752{5A2C5089-2FB5-6007-21A2-00000000A301}54404260C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1418e2|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+32707|C:\Windows\SYSTEM32\IEFRAME.dll+5f954|C:\Windows\SYSTEM32\IEFRAME.dll+5f74d|C:\Windows\SYSTEM32\IEFRAME.dll+5f422|C:\Windows\SYSTEM32\IEFRAME.dll+5f177|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602504Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:15.752{5A2C5089-2FB5-6007-21A2-00000000A301}54404260C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1418c7|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+32707|C:\Windows\SYSTEM32\IEFRAME.dll+5f954|C:\Windows\SYSTEM32\IEFRAME.dll+5f74d|C:\Windows\SYSTEM32\IEFRAME.dll+5f422|C:\Windows\SYSTEM32\IEFRAME.dll+5f177|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602503Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:15.752{5A2C5089-2FB5-6007-21A2-00000000A301}54404260C:\Program Files\Internet Explorer\iexplore.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1418c7|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\shcore.dll+32707|C:\Windows\SYSTEM32\IEFRAME.dll+5f954|C:\Windows\SYSTEM32\IEFRAME.dll+5f74d|C:\Windows\SYSTEM32\IEFRAME.dll+5f422|C:\Windows\SYSTEM32\IEFRAME.dll+5f177|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602502Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:15.737{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602501Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:15.737{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602500Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:15.737{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602499Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:15.737{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602498Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:15.737{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602497Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:15.737{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602539Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.534{5A2C5089-ED5A-6001-1600-00000000A301}15363212C:\Windows\system32\svchost.exe{5A2C5089-2FC5-6007-23A2-00000000A301}6572C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602538Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.534{5A2C5089-ED5A-6001-1600-00000000A301}15361572C:\Windows\system32\svchost.exe{5A2C5089-2FC5-6007-23A2-00000000A301}6572C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602537Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.534{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FC5-6007-23A2-00000000A301}6572C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602536Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.518{5A2C5089-2CFA-6007-61A1-00000000A301}41643176C:\Windows\system32\csrss.exe{5A2C5089-2FC5-6007-23A2-00000000A301}6572C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602535Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.518{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-2FC5-6007-23A2-00000000A301}6572C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602534Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.518{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2FC5-6007-23A2-00000000A301}6572C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602533Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.502{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602532Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.502{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602531Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.502{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602530Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.502{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602529Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.471{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602528Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.471{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602527Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.471{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602526Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.471{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602525Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.471{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602524Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.471{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602523Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.471{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602522Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.471{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a344|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602521Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.471{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602520Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.471{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602519Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.471{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602518Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.471{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602517Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.471{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602516Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.471{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602515Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.471{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602514Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.471{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602513Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.471{5A2C5089-2CFD-6007-76A1-00000000A301}22564524C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602512Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.471{5A2C5089-2CFD-6007-76A1-00000000A301}22564524C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602511Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.455{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x8000000000000000602510Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:17.455{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x8000000000000000602572Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.627{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602571Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.627{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602570Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.627{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602569Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.455{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-2FAB-6007-1BA2-00000000A301}6544C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25dfa|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602568Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.455{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-2FAB-6007-1BA2-00000000A301}6544C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602567Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.283{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602566Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.283{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602565Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.283{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602564Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.283{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602563Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.283{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602562Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.283{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602561Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.283{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602560Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.283{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602559Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.221{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602558Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.221{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602557Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.221{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602556Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.221{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602555Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.221{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602554Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.221{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602553Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.221{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602552Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.221{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602551Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.221{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602550Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.221{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602549Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.205{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602548Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.205{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602547Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.205{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602546Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.205{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602545Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.205{5A2C5089-2CFD-6007-76A1-00000000A301}22565596C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602544Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.205{5A2C5089-2CFD-6007-76A1-00000000A301}22565596C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602543Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.205{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000602542Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.205{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602541Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.205{5A2C5089-2CFC-6007-6CA1-00000000A301}22885784C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000602540Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:22.205{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602596Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.674{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602595Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.674{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602594Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.674{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602593Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.674{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602592Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.674{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602591Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.674{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602590Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.658{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602589Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.658{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602588Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.455{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602587Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.455{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602586Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.455{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602585Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.455{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602584Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.455{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602583Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.455{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602582Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.455{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602581Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.455{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602580Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.143{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602579Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.143{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602578Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.143{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602577Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.143{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602576Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.143{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602575Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.143{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602574Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.143{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602573Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:23.143{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602677Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.768{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000602676Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.768{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602675Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.768{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602674Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.768{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602673Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.768{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602672Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.752{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602671Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.752{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602670Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.752{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602669Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.752{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602668Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.752{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602667Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.752{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602666Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.752{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602665Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.752{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602664Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.658{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000602663Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.658{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602662Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.658{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602661Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.658{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602660Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.658{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602659Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.658{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602658Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.658{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602657Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.658{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602656Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.658{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602655Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.658{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602654Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.658{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602653Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.658{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602652Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.658{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602651Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.549{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000602650Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.549{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602649Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.549{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602648Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.549{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602647Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.549{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602646Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.549{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602645Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.549{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602644Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.549{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602643Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.549{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602642Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.549{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602641Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.549{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602640Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.549{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602639Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.549{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602638Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.377{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000602637Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.377{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602636Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.377{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602635Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.377{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602634Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.377{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602633Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.377{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602632Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.377{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602631Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.377{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602630Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.377{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602629Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.377{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602628Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.377{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602627Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.377{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602626Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.377{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602625Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.330{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000602624Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.330{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602623Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.330{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602622Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.330{5A2C5089-2CFC-6007-6CA1-00000000A301}22885916C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602621Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.315{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602620Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.315{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602619Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.315{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602618Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.315{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602617Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.315{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602616Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.315{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602615Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.315{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602614Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.315{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602613Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.315{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602612Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.268{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602611Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.268{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602610Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.268{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602609Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.268{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602608Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.268{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602607Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.268{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602606Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.268{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602605Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.268{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602604Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.065{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602603Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.065{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602602Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.065{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602601Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.065{5A2C5089-2CFC-6007-6CA1-00000000A301}22884288C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602600Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.065{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602599Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.065{5A2C5089-2CFC-6007-6CA1-00000000A301}22885400C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602598Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.065{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602597Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:24.065{5A2C5089-2CFC-6007-6CA1-00000000A301}22883820C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602707Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.736{5A2C5089-ED5A-6001-1600-00000000A301}15363212C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602706Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.736{5A2C5089-ED5A-6001-1600-00000000A301}15361572C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602705Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.705{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602704Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.705{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602703Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.705{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602702Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.705{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602701Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.424{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602700Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.424{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602699Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.424{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602698Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.424{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602697Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.408{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602696Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.408{5A2C5089-2CFD-6007-76A1-00000000A301}22565344C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602695Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.408{5A2C5089-2CFD-6007-76A1-00000000A301}22565344C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602694Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.408{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602693Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.408{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602692Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.408{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602691Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.393{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602690Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.393{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602689Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.393{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602688Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.393{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602687Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.393{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602686Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.393{5A2C5089-2CFD-6007-76A1-00000000A301}22564488C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+8fe71|C:\Windows\System32\SHELL32.dll+8ecd6|C:\Windows\System32\SHELL32.dll+cfbb1|C:\Windows\System32\SHELL32.dll+b5dbe|C:\Windows\System32\windows.storage.dll+2d1a2|C:\Windows\System32\windows.storage.dll+2ce99|C:\Windows\System32\windows.storage.dll+2cd6f|C:\Windows\System32\SHELL32.dll+cfc37|C:\Windows\System32\SHELL32.dll+b5dbe|C:\Windows\System32\SHELL32.dll+17024f 154100x8000000000000000602685Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.400{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe10.0.14393.4046 (rs1_release.201028-1803)Windows PowerShell ISEMicrosoft® Windows® Operating SystemMicrosoft Corporationpowershell_ise.EXE"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=FEBDA520271B683CD518B3425EC585D4,SHA256=8CFAC3F204DF864A5E9D9E20A4E7D4D70CB30A146661D0F7447A927BE74F7F04,IMPHASH=00000000000000000000000000000000{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000602684Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.377{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602683Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.377{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602682Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.377{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000602681Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.377{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000602680Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.377{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000602679Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.377{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602678Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:27.377{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602716Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:28.471{5A2C5089-ED5A-6001-1000-00000000A301}11681856C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602715Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:28.455{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602714Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:28.455{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602713Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:28.455{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602712Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:28.455{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602711Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:28.455{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602710Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:28.439{5A2C5089-ED5A-6001-1000-00000000A301}11681856C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602709Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:28.439{5A2C5089-ED5A-6001-1000-00000000A301}11681856C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602708Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:28.283{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000602719Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:29.705{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_rw2ztouo.ipy.ps12021-01-19 19:15:29.705 10341000x8000000000000000602718Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:29.549{5A2C5089-ED57-6001-0B00-00000000A301}8602488C:\Windows\system32\lsass.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602717Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:29.549{5A2C5089-ED57-6001-0B00-00000000A301}8602488C:\Windows\system32\lsass.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602731Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:30.361{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602730Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:30.361{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602729Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:30.236{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+f754|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602728Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:30.236{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+f754|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602727Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:30.236{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602726Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:30.236{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602725Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:30.236{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602724Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:30.236{5A2C5089-2CFD-6007-76A1-00000000A301}22565556C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602723Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:30.111{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602722Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:30.111{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602721Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:30.111{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602720Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:30.111{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602748Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:32.971{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2FD4-6007-25A2-00000000A301}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602747Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:32.924{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602746Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:32.924{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602745Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:32.924{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602744Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:32.924{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602743Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:32.924{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-2FD4-6007-25A2-00000000A301}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602742Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:32.924{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2FD4-6007-25A2-00000000A301}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000602741Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:32.784{5A2C5089-2FD4-6007-25A2-00000000A301}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000602740Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:32.861{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602739Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:32.861{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602738Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:32.861{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602737Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:32.861{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602736Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:32.861{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602735Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:32.861{5A2C5089-2CFC-6007-6DA1-00000000A301}1344184C:\Windows\system32\sihost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602734Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:32.705{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602733Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:32.705{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602732Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:32.705{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602758Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:33.986{5A2C5089-2FD5-6007-26A2-00000000A301}47122440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602757Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:33.830{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2FD5-6007-26A2-00000000A301}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602756Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:33.814{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602755Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:33.814{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602754Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:33.814{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602753Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:33.814{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602752Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:33.814{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2FD5-6007-26A2-00000000A301}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602751Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:33.814{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2FD5-6007-26A2-00000000A301}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000602750Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:33.674{5A2C5089-2FD5-6007-26A2-00000000A301}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000602749Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:33.064{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602767Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:34.814{5A2C5089-2FD6-6007-27A2-00000000A301}62326704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602766Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:34.642{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2FD6-6007-27A2-00000000A301}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602765Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:34.627{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602764Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:34.627{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602763Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:34.627{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602762Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:34.627{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602761Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:34.627{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2FD6-6007-27A2-00000000A301}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602760Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:34.627{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2FD6-6007-27A2-00000000A301}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000602759Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:34.487{5A2C5089-2FD6-6007-27A2-00000000A301}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000602868Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.752{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+d1597|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740ACEF75)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000602867Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.752{5A2C5089-2FCF-6007-24A2-00000000A301}64366936Modeindows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d141d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\System32\shell32.dll+d2f40|C:\Windows\System32\shell32.dll+d2e6d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\comdlg32.dll+13ae4|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+8cc531|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+b0f635|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+9ebae3|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\86e623d45f0cd237846fd8cc522ad45e\Microsoft.PowerShell.GPowerShell.ni.dll+fff80009(wow64) 10341000x8000000000000000602866Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.752{5A2C5089-2FCF-6007-24A2-00000000A301}64366936Modeindows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d1399|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\System32\shell32.dll+d2f40|C:\Windows\System32\shell32.dll+d2e6d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\comdlg32.dll+13ae4|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+8cc531|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+b0f635|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+9ebae3|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\86e623d45f0cd237846fd8cc522ad45e\Microsoft.PowerShell.GPowerShell.ni.dll+fff80009(wow64) 10341000x8000000000000000602865Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.752{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\System32\shell32.dll+d2f40|C:\Windows\System32\shell32.dll+d2e6d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\comdlg32.dll+13ae4 10341000x8000000000000000602864Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.752{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\System32\shell32.dll+d2f40|C:\Windows\System32\shell32.dll+d2e6d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\comdlg32.dll+13ae4|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+8cc531 10341000x8000000000000000602863Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.611{5A2C5089-2FD7-6007-28A2-00000000A301}52566364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602862Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.502{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+d1597|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740ACEF75)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000602861Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.502{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d141d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602860Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.502{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d1399|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602859Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.502{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602858Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.502{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000602857Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.455{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2FD7-6007-28A2-00000000A301}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602856Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.455{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602855Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.455{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602854Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.439{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602853Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.439{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602852Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.439{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2FD7-6007-28A2-00000000A301}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602851Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.439{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2FD7-6007-28A2-00000000A301}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000602850Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.299{5A2C5089-2FD7-6007-28A2-00000000A301}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000602849Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.408{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+d1597|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740ACEF75)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000602848Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.408{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+d1597|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740ACEF75)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000602847Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.408{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+d1597|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740ACEF75)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000602846Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.408{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+d1597|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740ACEF75)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000602845Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.408{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+d1597|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740ACEF75)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000602844Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.408{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+d1597|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740ACEF75)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000602843Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d141d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602842Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d1399|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602841Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602840Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000602839Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d141d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602838Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d1399|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602837Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602836Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000602835Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d141d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602834Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d1399|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602833Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602832Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000602831Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d141d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602830Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d1399|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602829Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602828Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000602827Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d141d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602826Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d1399|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602825Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602824Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.392{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000602823Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.377{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d141d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602822Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.377{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d1399|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602821Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.377{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602820Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.377{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000602819Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.377{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+d1597|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740ACEF75)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000602818Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.377{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+d1597|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740ACEF75)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000602817Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.361{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d141d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\comdlg32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\shell32.dll+139657|C:\Windows\System32\shell32.dll+138ad8|C:\Windows\System32\shell32.dll+1386db|C:\Windows\System32\shell32.dll+138847|C:\Windows\System32\shell32.dll+1387ca|C:\Windows\System32\comdlg32.dll+10e08 10341000x8000000000000000602816Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.361{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d1399|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\comdlg32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\shell32.dll+139657|C:\Windows\System32\shell32.dll+138ad8|C:\Windows\System32\shell32.dll+1386db|C:\Windows\System32\shell32.dll+138847|C:\Windows\System32\shell32.dll+1387ca|C:\Windows\System32\comdlg32.dll+10e08 10341000x8000000000000000602815Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.361{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\comdlg32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\shell32.dll+139657|C:\Windows\System32\shell32.dll+138ad8 10341000x8000000000000000602814Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.361{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\comdlg32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\shell32.dll+139657|C:\Windows\System32\shell32.dll+138ad8|C:\Windows\System32\shell32.dll+1386db 10341000x8000000000000000602813Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.361{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d141d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\shell32.dll+ee0c3|C:\Windows\System32\shell32.dll+ee4c4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x8000000000000000602812Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.361{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d1399|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\shell32.dll+ee0c3|C:\Windows\System32\shell32.dll+ee4c4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x8000000000000000602811Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.361{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\shell32.dll+ee0c3|C:\Windows\System32\shell32.dll+ee4c4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40 10341000x8000000000000000602810Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.361{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\shell32.dll+ee0c3|C:\Windows\System32\shell32.dll+ee4c4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40 10341000x8000000000000000602809Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.314{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+da74e|C:\Windows\System32\windows.storage.dll+dab86|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740ACEF75)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9174 10341000x8000000000000000602808Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.314{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da865|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\shell32.dll+be07c|C:\Windows\System32\shell32.dll+bdbc5|C:\Windows\System32\shell32.dll+be6dd|C:\Windows\System32\shell32.dll+c1cff|C:\Windows\System32\shell32.dll+13942e|C:\Windows\System32\shell32.dll+139046|C:\Windows\System32\shell32.dll+138ac3|C:\Windows\System32\shell32.dll+1386db 10341000x8000000000000000602807Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.314{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da7e1|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\shell32.dll+be07c|C:\Windows\System32\shell32.dll+bdbc5|C:\Windows\System32\shell32.dll+be6dd|C:\Windows\System32\shell32.dll+c1cff|C:\Windows\System32\shell32.dll+13942e|C:\Windows\System32\shell32.dll+139046|C:\Windows\System32\shell32.dll+138ac3|C:\Windows\System32\shell32.dll+1386db 10341000x8000000000000000602806Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.314{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\shell32.dll+be07c|C:\Windows\System32\shell32.dll+bdbc5|C:\Windows\System32\shell32.dll+be6dd|C:\Windows\System32\shell32.dll+c1cff 10341000x8000000000000000602805Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.314{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\shell32.dll+be07c|C:\Windows\System32\shell32.dll+bdbc5|C:\Windows\System32\shell32.dll+be6dd|C:\Windows\System32\shell32.dll+c1cff|C:\Windows\System32\shell32.dll+13942e 10341000x8000000000000000602804Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.267{5A2C5089-2FCF-6007-24A2-00000000A301}64366040C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+da74e|C:\Windows\System32\windows.storage.dll+dab86|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7FAC2)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.dll+84d4 10341000x8000000000000000602803Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.267{5A2C5089-2FCF-6007-24A2-00000000A301}64366040C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+da74e|C:\Windows\System32\windows.storage.dll+dab86|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7FAC2)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.dll+84d4 10341000x8000000000000000602802Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.267{5A2C5089-2FCF-6007-24A2-00000000A301}64366040C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da865|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A84B17)|UNKNOWN(FFFFF3E740A7F1A1)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7FAC2)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb 10341000x8000000000000000602801Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.267{5A2C5089-2FCF-6007-24A2-00000000A301}64366040C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da7e1|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A84B17)|UNKNOWN(FFFFF3E740A7F1A1)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7FAC2)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb 10341000x8000000000000000602800Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.267{5A2C5089-2FCF-6007-24A2-00000000A301}64366040C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A84B17)|UNKNOWN(FFFFF3E740A7F1A1)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7FAC2) 10341000x8000000000000000602799Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.267{5A2C5089-2FCF-6007-24A2-00000000A301}64366040C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A84B17)|UNKNOWN(FFFFF3E740A7F1A1)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7FAC2)|UNKNOWN(FFFFF800C4F7BE03) 10341000x8000000000000000602798Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.267{5A2C5089-2FCF-6007-24A2-00000000A301}64366040C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da865|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A84B17)|UNKNOWN(FFFFF3E740A7F1A1)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7FAC2)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb 10341000x8000000000000000602797Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.267{5A2C5089-2FCF-6007-24A2-00000000A301}64366040C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da7e1|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A84B17)|UNKNOWN(FFFFF3E740A7F1A1)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7FAC2)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb 10341000x8000000000000000602796Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.267{5A2C5089-2FCF-6007-24A2-00000000A301}64366040C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A84B17)|UNKNOWN(FFFFF3E740A7F1A1)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7FAC2) 10341000x8000000000000000602795Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.267{5A2C5089-2FCF-6007-24A2-00000000A301}64366040C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A84B17)|UNKNOWN(FFFFF3E740A7F1A1)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7FAC2)|UNKNOWN(FFFFF800C4F7BE03) 10341000x8000000000000000602794Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.142{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+5faba|C:\Windows\System32\shell32.dll+d42b4|C:\Windows\System32\shell32.dll+d1b5b|C:\Windows\System32\shell32.dll+d163d|C:\Windows\System32\shell32.dll+439c9|C:\Windows\System32\comdlg32.dll+13ab9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+8cc531|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+b0f635|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+9ebae3|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\86e623d45f0cd237846fd8cc522ad45e\Microsoft.PowerShell.GPowerShell.ni.dll+fff80009(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\86e623d45f0cd237846fd8cc522ad45e\Microsoft.PowerShell.GPowerShell.ni.dll+fff80009(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\86e623d45f0cd237846fd8cc522ad45e\Microsoft.PowerShell.GPowerShell.ni.dll+fff80009(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ffa1b5765e87e587bdbe4f912b065746\PresentationCore.ni.dll+85c94f|C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ffa1b5765e87e587bdbe4f912b065746\PresentationCore.ni.dll+85dd43|C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ffa1b5765e87e587bdbe4f912b065746\PresentationCore.ni.dll+c5f105|C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ffa1b5765e87e587bdbe4f912b065746\PresentationCore.ni.dll+2d4d27|C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ffa1b5765e87e587bdbe4f912b065746\PresentationCore.ni.dll+85dc19 10341000x8000000000000000602793Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.142{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+5faa8|C:\Windows\System32\shell32.dll+d42b4|C:\Windows\System32\shell32.dll+d1b5b|C:\Windows\System32\shell32.dll+d163d|C:\Windows\System32\shell32.dll+439c9|C:\Windows\System32\comdlg32.dll+13ab9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+8cc531|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+b0f635|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+9ebae3|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\86e623d45f0cd237846fd8cc522ad45e\Microsoft.PowerShell.GPowerShell.ni.dll+fff80009(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\86e623d45f0cd237846fd8cc522ad45e\Microsoft.PowerShell.GPowerShell.ni.dll+fff80009(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\86e623d45f0cd237846fd8cc522ad45e\Microsoft.PowerShell.GPowerShell.ni.dll+fff80009(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ffa1b5765e87e587bdbe4f912b065746\PresentationCore.ni.dll+85c94f|C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ffa1b5765e87e587bdbe4f912b065746\PresentationCore.ni.dll+85dd43|C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ffa1b5765e87e587bdbe4f912b065746\PresentationCore.ni.dll+c5f105|C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ffa1b5765e87e587bdbe4f912b065746\PresentationCore.ni.dll+2d4d27 10341000x8000000000000000602792Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.127{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+5faa8|C:\Windows\System32\shell32.dll+d42b4|C:\Windows\System32\shell32.dll+d1b5b|C:\Windows\System32\shell32.dll+d163d|C:\Windows\System32\shell32.dll+439c9|C:\Windows\System32\comdlg32.dll+13ab9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+8cc531|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+b0f635|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+9ebae3|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\86e623d45f0cd237846fd8cc522ad45e\Microsoft.PowerShell.GPowerShell.ni.dll+fff80009(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\86e623d45f0cd237846fd8cc522ad45e\Microsoft.PowerShell.GPowerShell.ni.dll+fff80009(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\86e623d45f0cd237846fd8cc522ad45e\Microsoft.PowerShell.GPowerShell.ni.dll+fff80009(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ffa1b5765e87e587bdbe4f912b065746\PresentationCore.ni.dll+85c94f|C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ffa1b5765e87e587bdbe4f912b065746\PresentationCore.ni.dll+85dd43|C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ffa1b5765e87e587bdbe4f912b065746\PresentationCore.ni.dll+c5f105|C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ffa1b5765e87e587bdbe4f912b065746\PresentationCore.ni.dll+2d4d27|C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ffa1b5765e87e587bdbe4f912b065746\PresentationCore.ni.dll+85dc19 10341000x8000000000000000602791Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1000-00000000A301}1168C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602790Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1000-00000000A301}1168C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602789Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602788Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602787Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602786Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602785Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602784Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602783Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602782Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602781Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602780Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602779Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602778Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602777Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602776Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602775Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602774Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602773Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602772Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602771Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602770Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602769Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602768Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:35.111{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602876Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:36.267{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2FD8-6007-29A2-00000000A301}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602875Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:36.267{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602874Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:36.267{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602873Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:36.267{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602872Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:36.267{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602871Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:36.267{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-2FD8-6007-29A2-00000000A301}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602870Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:36.267{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2FD8-6007-29A2-00000000A301}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000602869Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:36.127{5A2C5089-2FD8-6007-29A2-00000000A301}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000602893Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:37.908{5A2C5089-2FD9-6007-2BA2-00000000A301}43325288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602892Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:37.752{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2FD9-6007-2BA2-00000000A301}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602891Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:37.752{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602890Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:37.752{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602889Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:37.752{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602888Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:37.752{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602887Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:37.752{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2FD9-6007-2BA2-00000000A301}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602886Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:37.752{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2FD9-6007-2BA2-00000000A301}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000602885Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:37.752{5A2C5089-2FD9-6007-2BA2-00000000A301}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000602884Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:37.095{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-2FD8-6007-2AA2-00000000A301}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602883Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:37.080{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602882Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:37.080{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602881Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:37.080{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602880Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:37.080{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602879Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:37.080{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2FD8-6007-2AA2-00000000A301}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602878Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:37.080{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-2FD8-6007-2AA2-00000000A301}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000602877Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:36.940{5A2C5089-2FD8-6007-2AA2-00000000A301}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000602923Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.330{5A2C5089-ED5A-6001-1600-00000000A301}15363212C:\Windows\system32\svchost.exe{5A2C5089-2FDA-6007-2CA2-00000000A301}6872C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602922Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.330{5A2C5089-ED5A-6001-1600-00000000A301}15361572C:\Windows\system32\svchost.exe{5A2C5089-2FDA-6007-2CA2-00000000A301}6872C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602921Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.330{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2FDA-6007-2CA2-00000000A301}6872C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602920Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.314{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-2FDA-6007-2CA2-00000000A301}6872C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602919Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.314{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-2FDA-6007-2CA2-00000000A301}6872C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000602918Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.314{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2FDA-6007-2CA2-00000000A301}6872C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602917Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.298{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602916Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.298{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602915Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.298{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602914Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.298{5A2C5089-2CFD-6007-76A1-00000000A301}22565800C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602913Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.267{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x8000000000000000602912Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.267{5A2C5089-2CFC-6007-6CA1-00000000A301}22885672C:\Windows\System32\RuntimeBroker.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+9adba|C:\Windows\System32\combase.dll+91b7d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+277f|C:\Windows\System32\combase.dll+513e3|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x8000000000000000602911Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.267{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602910Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.267{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602909Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.252{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602908Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.252{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602907Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.252{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602906Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.252{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a344|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602905Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.252{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602904Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.252{5A2C5089-ED59-6001-0C00-00000000A301}6684968C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602903Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.252{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602902Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.252{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602901Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.252{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000602900Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.252{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602899Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.252{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602898Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.252{5A2C5089-2CFD-6007-76A1-00000000A301}22564524C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602897Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.252{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602896Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.252{5A2C5089-2CFD-6007-76A1-00000000A301}22564524C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602895Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.252{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602894Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:38.252{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602924Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:39.423{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602936Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:45.033{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602935Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:45.033{5A2C5089-2CFD-6007-76A1-00000000A301}22565580C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000602934Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:45.033{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602933Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:45.033{5A2C5089-2CFD-6007-76A1-00000000A301}22566504C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602932Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:45.033{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602931Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:45.033{5A2C5089-2CFD-6007-76A1-00000000A301}22566504C:\Windows\Explorer.EXE{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602930Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:45.033{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602929Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:45.017{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602928Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:45.017{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602927Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:45.017{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602926Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:45.017{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602925Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:45.017{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602950Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:47.986{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d141d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\comdlg32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\shell32.dll+139657|C:\Windows\System32\shell32.dll+138ad8|C:\Windows\System32\shell32.dll+1386db|C:\Windows\System32\shell32.dll+138847|C:\Windows\System32\shell32.dll+2e8acd|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602949Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:47.986{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d1399|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\comdlg32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\shell32.dll+139657|C:\Windows\System32\shell32.dll+138ad8|C:\Windows\System32\shell32.dll+1386db|C:\Windows\System32\shell32.dll+138847|C:\Windows\System32\shell32.dll+2e8acd|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602948Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:47.986{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\comdlg32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\shell32.dll+139657|C:\Windows\System32\shell32.dll+138ad8 10341000x8000000000000000602947Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:47.986{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\comdlg32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\shell32.dll+139657|C:\Windows\System32\shell32.dll+138ad8|C:\Windows\System32\shell32.dll+1386db 10341000x8000000000000000602946Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:47.970{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+da74e|C:\Windows\System32\windows.storage.dll+dab86|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740ACEF75)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9174 10341000x8000000000000000602945Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:47.970{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da865|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\shell32.dll+be07c|C:\Windows\System32\shell32.dll+bdbc5|C:\Windows\System32\shell32.dll+be6dd|C:\Windows\System32\shell32.dll+c1cff|C:\Windows\System32\shell32.dll+13942e|C:\Windows\System32\shell32.dll+139046|C:\Windows\System32\shell32.dll+138ac3|C:\Windows\System32\shell32.dll+1386db 10341000x8000000000000000602944Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:47.970{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da7e1|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\shell32.dll+be07c|C:\Windows\System32\shell32.dll+bdbc5|C:\Windows\System32\shell32.dll+be6dd|C:\Windows\System32\shell32.dll+c1cff|C:\Windows\System32\shell32.dll+13942e|C:\Windows\System32\shell32.dll+139046|C:\Windows\System32\shell32.dll+138ac3|C:\Windows\System32\shell32.dll+1386db 10341000x8000000000000000602943Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:47.970{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\shell32.dll+be07c|C:\Windows\System32\shell32.dll+bdbc5|C:\Windows\System32\shell32.dll+be6dd|C:\Windows\System32\shell32.dll+c1cff 10341000x8000000000000000602942Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:47.970{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\shell32.dll+be07c|C:\Windows\System32\shell32.dll+bdbc5|C:\Windows\System32\shell32.dll+be6dd|C:\Windows\System32\shell32.dll+c1cff|C:\Windows\System32\shell32.dll+13942e 10341000x8000000000000000602941Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:47.954{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+d1597|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740ACEF75)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000602940Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:47.954{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d141d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\System32\shell32.dll+2e81f9|C:\Windows\System32\shell32.dll+22d4cc|C:\Windows\System32\shell32.dll+2e532b|C:\Windows\System32\shell32.dll+42d79d|C:\Windows\System32\shell32.dll+42c434|C:\Windows\system32\explorerframe.dll+104960|C:\Windows\system32\explorerframe.dll+a7e78|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612 10341000x8000000000000000602939Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:47.954{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d1399|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\System32\shell32.dll+2e81f9|C:\Windows\System32\shell32.dll+22d4cc|C:\Windows\System32\shell32.dll+2e532b|C:\Windows\System32\shell32.dll+42d79d|C:\Windows\System32\shell32.dll+42c434|C:\Windows\system32\explorerframe.dll+104960|C:\Windows\system32\explorerframe.dll+a7e78|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612 10341000x8000000000000000602938Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:47.954{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\System32\shell32.dll+2e81f9|C:\Windows\System32\shell32.dll+22d4cc|C:\Windows\System32\shell32.dll+2e532b|C:\Windows\System32\shell32.dll+42d79d|C:\Windows\System32\shell32.dll+42c434|C:\Windows\system32\explorerframe.dll+104960|C:\Windows\system32\explorerframe.dll+a7e78|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770 10341000x8000000000000000602937Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:47.954{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\System32\shell32.dll+2e81f9|C:\Windows\System32\shell32.dll+22d4cc|C:\Windows\System32\shell32.dll+2e532b|C:\Windows\System32\shell32.dll+42d79d|C:\Windows\System32\shell32.dll+42c434|C:\Windows\system32\explorerframe.dll+104960|C:\Windows\system32\explorerframe.dll+a7e78|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547 10341000x8000000000000000602956Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:48.345{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+d1597|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740ACEF75)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000602955Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:48.345{5A2C5089-2FCF-6007-24A2-00000000A301}64366936Modeindows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d141d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\System32\shell32.dll+d2f40|C:\Windows\System32\shell32.dll+d2e6d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\comdlg32.dll+13ae4|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+8cc531|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+b0f635|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+9ebae3|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\86e623d45f0cd237846fd8cc522ad45e\Microsoft.PowerShell.GPowerShell.ni.dll+fff80009(wow64) 10341000x8000000000000000602954Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:48.345{5A2C5089-2FCF-6007-24A2-00000000A301}64366936Modeindows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+d1399|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\System32\shell32.dll+d2f40|C:\Windows\System32\shell32.dll+d2e6d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\comdlg32.dll+13ae4|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+8cc531|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+b0f635|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+9ebae3|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\86e623d45f0cd237846fd8cc522ad45e\Microsoft.PowerShell.GPowerShell.ni.dll+fff80009(wow64) 10341000x8000000000000000602953Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:48.345{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\System32\shell32.dll+d2f40|C:\Windows\System32\shell32.dll+d2e6d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\comdlg32.dll+13ae4 10341000x8000000000000000602952Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:48.345{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d137d|C:\Windows\System32\shell32.dll+d1ac3|C:\Windows\System32\shell32.dll+d19f4|C:\Windows\System32\shell32.dll+d12a2|C:\Windows\System32\shell32.dll+d2f40|C:\Windows\System32\shell32.dll+d2e6d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\comdlg32.dll+13ae4|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\b0c2dbce7105af34ebf28a8e4b193140\System.Windows.Forms.ni.dll+8cc531 10341000x8000000000000000602951Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:48.001{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+d1597|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740ACEF75)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9174|C:\Windows\System32\win32u.dll+10c4 11241100x8000000000000000603042Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.095{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\Desktop\Invoke-ExecuteMSBuild.ps12021-01-19 19:15:49.064 11241100x8000000000000000603041Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.095{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Invoke-ExecuteMSBuild.lnk2021-01-19 19:15:49.095 10341000x8000000000000000603040Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.095{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+48067|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7EE26)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000603039Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.095{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+48067|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7EE26)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000603038Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.095{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+48067|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7EE26)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000603037Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.095{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+48067|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7EE26)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000603036Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.095{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+48067|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7EE26)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000603035Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.095{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+48067|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7EE26)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000603034Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.095{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+48067|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7EE26)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000603033Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.095{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+48067|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7EE26)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000603032Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.095{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+48067|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7EE26)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000603031Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.095{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+48067|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7EE26)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000603030Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.095{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+48067|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7EE26)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000603029Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.095{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+48067|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7EE26)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000603028Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.095{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+48067|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7EE26)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000603027Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.095{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+48067|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7EE26)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000603026Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.095{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+48067|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740A84998)|UNKNOWN(FFFFF3E740A7F645)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7EE26)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000603025Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5bbf|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603024Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5b2a|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603023Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603022Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603021Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5bbf|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603020Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5b2a|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603019Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603018Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603017Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5bbf|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603016Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5b2a|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603015Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603014Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603013Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5bbf|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603012Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5b2a|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603011Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603010Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603009Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5bbf|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603008Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5b2a|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603007Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603006Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603005Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5bbf|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603004Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5b2a|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603003Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603002Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603001Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5bbf|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603000Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5b2a|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602999Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602998Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602997Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5bbf|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602996Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5b2a|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602995Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602994Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602993Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5bbf|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602992Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5b2a|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602991Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602990Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602989Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5bbf|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602988Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5b2a|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602987Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602986Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602985Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5bbf|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602984Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5b2a|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602983Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602982Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602981Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5bbf|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602980Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5b2a|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602979Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602978Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602977Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5bbf|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602976Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5b2a|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602975Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602974Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602973Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5bbf|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602972Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5b2a|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602971Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602970Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602969Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5bbf|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602968Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a5b2a|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602967Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602966Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.079{5A2C5089-2CFD-6007-76A1-00000000A301}22565124C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a5b06|C:\Windows\System32\SHELL32.dll+a74b8|C:\Windows\System32\SHELL32.dll+a4125|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a7f1a|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602965Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.064{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602964Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.064{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602963Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.064{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\windows.storage.dll+3c74ce|C:\Windows\System32\windows.storage.dll+3c94ce|C:\Windows\System32\windows.storage.dll+13c2d3|C:\Windows\System32\windows.storage.dll+13bcc9|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602962Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.064{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\windows.storage.dll+3c74ce|C:\Windows\System32\windows.storage.dll+3c94ce|C:\Windows\System32\windows.storage.dll+13c2d3|C:\Windows\System32\windows.storage.dll+13bcc9|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602961Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.064{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.storage.dll+3ca63e|C:\Windows\System32\windows.storage.dll+3c62ff|C:\Windows\System32\windows.storage.dll+3c7440|C:\Windows\System32\windows.storage.dll+3c94ce|C:\Windows\System32\windows.storage.dll+13c2d3|C:\Windows\System32\windows.storage.dll+13bcc9|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602960Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.064{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c7b98|C:\Windows\System32\windows.storage.dll+3cc19f|C:\Windows\System32\comdlg32.dll+d92b|C:\Windows\System32\comdlg32.dll+d6ae|C:\Windows\System32\comdlg32.dll+12618|C:\Windows\System32\comdlg32.dll+6812b|C:\Windows\System32\comdlg32.dll+8e70|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+115a5|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+4a57e|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5fa88|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\comdlg32.dll+22bad|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000602959Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.064{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c7b7c|C:\Windows\System32\windows.storage.dll+3cc19f|C:\Windows\System32\comdlg32.dll+d92b|C:\Windows\System32\comdlg32.dll+d6ae|C:\Windows\System32\comdlg32.dll+12618|C:\Windows\System32\comdlg32.dll+6812b|C:\Windows\System32\comdlg32.dll+8e70|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+115a5|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+4a57e|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5fa88|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000602958Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.064{5A2C5089-2FCF-6007-24A2-00000000A301}64366936C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c7b7c|C:\Windows\System32\windows.storage.dll+3cc19f|C:\Windows\System32\comdlg32.dll+d92b|C:\Windows\System32\comdlg32.dll+d6ae|C:\Windows\System32\comdlg32.dll+12618|C:\Windows\System32\comdlg32.dll+6812b|C:\Windows\System32\comdlg32.dll+8e70|C:\Windows\System32\USER32.dll+156c2|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+115a5|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+4a57e|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5fa88|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 11241100x8000000000000000602957Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:49.064{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\Desktop\Invoke-ExecuteMSBuild.ps12021-01-19 19:15:49.064 10341000x8000000000000000603051Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:50.486{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000603050Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:50.486{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000603049Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:50.486{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000603048Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:50.486{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000603047Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:50.486{5A2C5089-ED59-6001-0C00-00000000A301}6684664C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000603046Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:50.486{5A2C5089-2CFC-6007-6DA1-00000000A301}1344184C:\Windows\system32\sihost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603045Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:50.314{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000603044Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:50.314{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000603043Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:50.314{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x8000000000000000603059Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:52.142{5A2C5089-ED5A-6001-1600-00000000A301}15363212C:\Windows\system32\svchost.exe{5A2C5089-2FE8-6007-2DA2-00000000A301}5364C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603058Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:52.142{5A2C5089-ED5A-6001-1600-00000000A301}15361572C:\Windows\system32\svchost.exe{5A2C5089-2FE8-6007-2DA2-00000000A301}5364C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603057Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:52.142{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2FE8-6007-2DA2-00000000A301}5364C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603056Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:52.142{5A2C5089-2CFA-6007-61A1-00000000A301}41643176C:\Windows\system32\csrss.exe{5A2C5089-2FE8-6007-2DA2-00000000A301}5364C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603055Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:52.126{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-2FE8-6007-2DA2-00000000A301}5364C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603054Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:52.126{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2FE8-6007-2DA2-00000000A301}5364C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603053Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:52.017{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603052Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:15:52.017{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000603062Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:16:00.579{5A2C5089-ED6A-6001-3200-00000000A301}2764C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\0C308890-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_0C308890-0000-0000-0000-100000000000.XML 13241300x8000000000000000603061Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:16:00.563{5A2C5089-ED6A-6001-3200-00000000A301}2764C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9916ACFC-C6A5-411F-AB13-8F4D0BF713D8\Config SourceDWORD (0x00000001) 13241300x8000000000000000603060Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:16:00.563{5A2C5089-ED6A-6001-3200-00000000A301}2764C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9916ACFC-C6A5-411F-AB13-8F4D0BF713D8\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9916ACFC-C6A5-411F-AB13-8F4D0BF713D8.XML 10341000x8000000000000000603064Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:01.673{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603063Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:01.673{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603066Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:02.782{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603065Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:02.782{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603068Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:14.282{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603067Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:14.282{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603089Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.922{5A2C5089-300C-6007-30A2-00000000A301}67681148C:\Windows\system32\conhost.exe{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603088Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.812{5A2C5089-2CFA-6007-61A1-00000000A301}41643176C:\Windows\system32\csrss.exe{5A2C5089-300C-6007-30A2-00000000A301}6768C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603087Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.812{5A2C5089-2CFA-6007-61A1-00000000A301}41644392C:\Windows\system32\csrss.exe{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603086Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.812{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603085Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.812{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603084Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.812{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603083Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.812{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603082Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.812{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603081Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.812{5A2C5089-2FAA-6007-18A2-00000000A301}58841764C:\Windows\system32\wbem\wmiprvse.exe{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4 154100x8000000000000000603080Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.818{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe4.7.2053.0 built by: NET47REL1MSBuild.exeMicrosoft® .NET FrameworkMicrosoft CorporationMSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Tasks\pshell.xmlC:\Windows\system32\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=E5AC74797478CD9649F201931EDE1166,SHA256=C50E0AA6EF6A1B6B775C8DC1D64E351610ABD7DDD08717C06A3A17C9D11A95DC,IMPHASH=00000000000000000000000000000000{5A2C5089-2FAA-6007-18A2-00000000A301}5884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x8000000000000000603079Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localT10532021-01-19 19:16:28.797{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Windows\Tasks\pshell.xml2021-01-19 19:16:28.797 10341000x8000000000000000603078Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.734{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603077Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.734{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603076Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.734{5A2C5089-ED57-6001-0B00-00000000A301}8602232C:\Windows\system32\lsass.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603075Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.687{5A2C5089-ED5A-6001-1600-00000000A301}15365288C:\Windows\system32\svchost.exe{5A2C5089-300C-6007-2EA2-00000000A301}4332C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603074Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.672{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-300C-6007-2EA2-00000000A301}4332C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603073Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.672{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-300C-6007-2EA2-00000000A301}4332C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603072Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.656{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-300C-6007-2EA2-00000000A301}4332C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603071Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.640{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603070Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.640{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603069Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:28.640{5A2C5089-ED57-6001-0B00-00000000A301}8602232C:\Windows\system32\lsass.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603146Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.828{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603145Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.828{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000603144Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.719{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vygopllw.25z.ps12021-01-19 19:16:29.719 11241100x8000000000000000603143Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:16:29.687{5A2C5089-300D-6007-33A2-00000000A301}4704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\rqh4poma\rqh4poma.dll2021-01-19 19:16:29.594 10341000x8000000000000000603142Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.687{5A2C5089-300C-6007-30A2-00000000A301}67681148C:\Windows\system32\conhost.exe{5A2C5089-300D-6007-34A2-00000000A301}4148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603141Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.687{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603140Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.687{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603139Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.687{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603138Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.687{5A2C5089-2CFA-6007-61A1-00000000A301}41643176C:\Windows\system32\csrss.exe{5A2C5089-300D-6007-34A2-00000000A301}4148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603137Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.687{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603136Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.687{5A2C5089-300D-6007-33A2-00000000A301}47046944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{5A2C5089-300D-6007-34A2-00000000A301}4148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603135Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.688{5A2C5089-300D-6007-34A2-00000000A301}4148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESB8FE.tmp" "c:\Users\Administrator\AppData\Local\Temp\rqh4poma\CSCFB7836F07AE84B54A64BADC5BAA8A7BE.TMP"C:\Windows\Tasks\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{5A2C5089-300D-6007-33A2-00000000A301}4704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\rqh4poma\rqh4poma.cmdline" 10341000x8000000000000000603134Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.594{5A2C5089-300C-6007-30A2-00000000A301}67681148C:\Windows\system32\conhost.exe{5A2C5089-300D-6007-33A2-00000000A301}4704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603133Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.594{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603132Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.594{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603131Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.594{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603130Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.594{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603129Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.594{5A2C5089-2CFA-6007-61A1-00000000A301}41643176C:\Windows\system32\csrss.exe{5A2C5089-300D-6007-33A2-00000000A301}4704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603128Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.594{5A2C5089-300C-6007-2FA2-00000000A301}67603740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe{5A2C5089-300D-6007-33A2-00000000A301}4704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\15ac41cabc80ae8e07f1d041fdcb6d8f\Microsoft.Build.Tasks.v4.0.ni.dll+bca9abb8|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\15ac41cabc80ae8e07f1d041fdcb6d8f\Microsoft.Build.Tasks.v4.0.ni.dll+bca9946d|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23aa35|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23a32b|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23a200|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239772|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239128|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239010|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+4ec2df|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+4c3940|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+237b09 154100x8000000000000000603127Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.606{5A2C5089-300D-6007-33A2-00000000A301}4704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\rqh4poma\rqh4poma.cmdline"C:\Windows\Tasks\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Tasks\pshell.xml 11241100x8000000000000000603126Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.594{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\rqh4poma\rqh4poma.cmdline2021-01-19 19:16:29.594 11241100x8000000000000000603125Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:16:29.594{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\rqh4poma\rqh4poma.dll2021-01-19 19:16:29.594 11241100x8000000000000000603124Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:16:29.578{5A2C5089-300D-6007-31A2-00000000A301}2828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\dzxho5ho\dzxho5ho.dll2021-01-19 19:16:29.469 10341000x8000000000000000603123Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.562{5A2C5089-300C-6007-30A2-00000000A301}67681148C:\Windows\system32\conhost.exe{5A2C5089-300D-6007-32A2-00000000A301}7072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603122Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.562{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603121Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.562{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603120Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.562{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603119Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.562{5A2C5089-2CFA-6007-61A1-00000000A301}41644392C:\Windows\system32\csrss.exe{5A2C5089-300D-6007-32A2-00000000A301}7072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603118Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.562{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603117Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.562{5A2C5089-300D-6007-31A2-00000000A301}28284748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{5A2C5089-300D-6007-32A2-00000000A301}7072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603116Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.574{5A2C5089-300D-6007-32A2-00000000A301}7072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESB891.tmp" "c:\Users\Administrator\AppData\Local\Temp\dzxho5ho\CSC405C0E91977D4BB59FD4F0EDAE67DCCE.TMP"C:\Windows\Tasks\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{5A2C5089-300D-6007-31A2-00000000A301}2828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\dzxho5ho\dzxho5ho.cmdline" 10341000x8000000000000000603115Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.500{5A2C5089-300C-6007-30A2-00000000A301}67681148C:\Windows\system32\conhost.exe{5A2C5089-300D-6007-31A2-00000000A301}2828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603114Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.500{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603113Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.500{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603112Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.500{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603111Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.500{5A2C5089-2CFA-6007-61A1-00000000A301}41644392C:\Windows\system32\csrss.exe{5A2C5089-300D-6007-31A2-00000000A301}2828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603110Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.500{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603109Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.500{5A2C5089-300C-6007-2FA2-00000000A301}67603740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe{5A2C5089-300D-6007-31A2-00000000A301}2828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\15ac41cabc80ae8e07f1d041fdcb6d8f\Microsoft.Build.Tasks.v4.0.ni.dll+bca9abb8|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\15ac41cabc80ae8e07f1d041fdcb6d8f\Microsoft.Build.Tasks.v4.0.ni.dll+bca9946d|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23aa35|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23a32b|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23a200|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239772|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239128|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239010|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+4ec2df|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+4c3940|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+237b09 154100x8000000000000000603108Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.486{5A2C5089-300D-6007-31A2-00000000A301}2828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\dzxho5ho\dzxho5ho.cmdline"C:\Windows\Tasks\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Tasks\pshell.xml 11241100x8000000000000000603107Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.469{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\dzxho5ho\dzxho5ho.cmdline2021-01-19 19:16:29.469 11241100x8000000000000000603106Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:16:29.469{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\dzxho5ho\dzxho5ho.dll2021-01-19 19:16:29.469 10341000x8000000000000000603105Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.406{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603104Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.234{5A2C5089-2CFD-6007-76A1-00000000A301}22565648C:\Windows\Explorer.EXE{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603103Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.234{5A2C5089-2CFD-6007-76A1-00000000A301}22565648C:\Windows\Explorer.EXE{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603102Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.234{5A2C5089-2CFD-6007-76A1-00000000A301}22565648C:\Windows\Explorer.EXE{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603101Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.234{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-300C-6007-30A2-00000000A301}6768C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603100Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.234{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-300C-6007-30A2-00000000A301}6768C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603099Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.203{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603098Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.203{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603097Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.203{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603096Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.203{5A2C5089-2CFD-6007-76A1-00000000A301}22565564C:\Windows\Explorer.EXE{5A2C5089-300C-6007-2FA2-00000000A301}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603095Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.203{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-300C-6007-30A2-00000000A301}6768C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603094Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.203{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-300C-6007-30A2-00000000A301}6768C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603093Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.203{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-300C-6007-30A2-00000000A301}6768C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603092Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.203{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-300C-6007-30A2-00000000A301}6768C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603091Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.187{5A2C5089-ED5A-6001-1600-00000000A301}15363704C:\Windows\system32\svchost.exe{5A2C5089-300C-6007-30A2-00000000A301}6768C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603090Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:29.187{5A2C5089-ED5A-6001-1600-00000000A301}15361572C:\Windows\system32\svchost.exe{5A2C5089-300C-6007-30A2-00000000A301}6768C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603151Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:30.125{5A2C5089-2CFD-6007-76A1-00000000A301}22565648C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603150Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:30.125{5A2C5089-2CFD-6007-76A1-00000000A301}22565648C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603149Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:30.125{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603148Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:30.125{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603147Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:30.125{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000603152Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:32.215{00000000-0000-0000-0000-000000000000}6760www.example.com0::ffff:93.184.216.34;<unknown process> 10341000x8000000000000000603160Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:32.703{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3010-6007-35A2-00000000A301}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603159Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:32.687{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603158Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:32.687{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603157Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:32.687{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603156Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:32.687{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603155Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:32.687{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-3010-6007-35A2-00000000A301}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603154Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:32.687{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3010-6007-35A2-00000000A301}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603153Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:32.688{5A2C5089-3010-6007-35A2-00000000A301}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603177Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:33.968{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3011-6007-37A2-00000000A301}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603176Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:33.968{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603175Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:33.968{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603174Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:33.968{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603173Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:33.968{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603172Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:33.968{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-3011-6007-37A2-00000000A301}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603171Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:33.968{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3011-6007-37A2-00000000A301}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603170Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:33.969{5A2C5089-3011-6007-37A2-00000000A301}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603169Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:33.515{5A2C5089-3011-6007-36A2-00000000A301}25001052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603168Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:33.359{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3011-6007-36A2-00000000A301}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603167Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:33.359{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603166Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:33.359{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603165Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:33.359{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603164Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:33.359{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603163Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:33.359{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-3011-6007-36A2-00000000A301}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603162Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:33.359{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3011-6007-36A2-00000000A301}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603161Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:33.360{5A2C5089-3011-6007-36A2-00000000A301}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603186Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:34.750{5A2C5089-3012-6007-38A2-00000000A301}53642824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603185Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:34.593{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3012-6007-38A2-00000000A301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603184Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:34.593{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603183Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:34.593{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603182Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:34.593{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603181Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:34.593{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-3012-6007-38A2-00000000A301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603180Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:34.593{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603179Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:34.593{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3012-6007-38A2-00000000A301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603178Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:34.594{5A2C5089-3012-6007-38A2-00000000A301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603202Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:35.843{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3013-6007-3AA2-00000000A301}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603201Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:35.843{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603200Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:35.843{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603199Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:35.843{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603198Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:35.843{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603197Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:35.843{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-3013-6007-3AA2-00000000A301}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603196Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:35.843{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3013-6007-3AA2-00000000A301}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603195Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:35.844{5A2C5089-3013-6007-3AA2-00000000A301}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603194Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:35.218{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3013-6007-39A2-00000000A301}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603193Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:35.218{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603192Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:35.218{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603191Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:35.218{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603190Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:35.218{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603189Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:35.218{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-3013-6007-39A2-00000000A301}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603188Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:35.218{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3013-6007-39A2-00000000A301}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603187Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:35.219{5A2C5089-3013-6007-39A2-00000000A301}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603212Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:36.625{5A2C5089-3014-6007-3BA2-00000000A301}65566268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603211Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:36.468{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3014-6007-3BA2-00000000A301}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603210Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:36.468{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603209Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:36.468{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603208Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:36.468{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603207Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:36.468{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603206Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:36.468{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-3014-6007-3BA2-00000000A301}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603205Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:36.468{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3014-6007-3BA2-00000000A301}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603204Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:36.469{5A2C5089-3014-6007-3BA2-00000000A301}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603203Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:16:36.015{5A2C5089-3013-6007-3AA2-00000000A301}55926456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000603213Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:17:29.795{5A2C5089-ED5A-6001-1000-00000000A301}1168C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ee97-0xbaf2c1ff) 10341000x8000000000000000603221Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:32.716{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-304C-6007-3CA2-00000000A301}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603220Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:32.716{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603219Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:32.716{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603218Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:32.716{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603217Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:32.716{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603216Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:32.716{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-304C-6007-3CA2-00000000A301}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603215Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:32.716{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-304C-6007-3CA2-00000000A301}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603214Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:32.717{5A2C5089-304C-6007-3CA2-00000000A301}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603230Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:33.545{5A2C5089-304D-6007-3DA2-00000000A301}11282160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603229Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:33.388{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-304D-6007-3DA2-00000000A301}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603228Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:33.388{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603227Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:33.388{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603226Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:33.388{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603225Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:33.388{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603224Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:33.388{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-304D-6007-3DA2-00000000A301}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603223Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:33.388{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-304D-6007-3DA2-00000000A301}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603222Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:33.389{5A2C5089-304D-6007-3DA2-00000000A301}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603248Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:34.888{5A2C5089-304E-6007-3FA2-00000000A301}37886552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603247Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:34.732{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-304E-6007-3FA2-00000000A301}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603246Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:34.732{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603245Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:34.732{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603244Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:34.732{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603243Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:34.732{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603242Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:34.732{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-304E-6007-3FA2-00000000A301}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603241Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:34.732{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-304E-6007-3FA2-00000000A301}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603240Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:34.733{5A2C5089-304E-6007-3FA2-00000000A301}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603239Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:34.091{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603238Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:34.060{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-304E-6007-3EA2-00000000A301}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603237Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:34.060{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603236Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:34.060{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603235Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:34.060{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603234Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:34.060{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603233Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:34.060{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-304E-6007-3EA2-00000000A301}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603232Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:34.060{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-304E-6007-3EA2-00000000A301}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603231Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:34.061{5A2C5089-304E-6007-3EA2-00000000A301}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603257Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:35.560{5A2C5089-304F-6007-40A2-00000000A301}3944172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603256Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:35.404{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-304F-6007-40A2-00000000A301}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603255Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:35.404{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603254Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:35.404{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603253Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:35.404{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603252Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:35.404{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603251Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:35.404{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-304F-6007-40A2-00000000A301}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603250Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:35.404{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-304F-6007-40A2-00000000A301}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603249Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:35.404{5A2C5089-304F-6007-40A2-00000000A301}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603307Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.779{5A2C5089-3050-6007-42A2-00000000A301}38722144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603306Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.623{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3050-6007-42A2-00000000A301}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603305Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.623{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603304Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.623{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603303Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.623{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603302Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.623{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603301Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.623{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-3050-6007-42A2-00000000A301}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603300Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.623{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3050-6007-42A2-00000000A301}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603299Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.623{5A2C5089-3050-6007-42A2-00000000A301}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603298Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603297Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603296Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603295Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603294Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603293Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603292Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603291Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603290Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603289Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603288Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603287Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603286Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603285Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603284Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603283Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603282Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603281Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603280Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603279Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603278Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603277Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603276Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603275Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603274Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603273Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603272Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603271Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603270Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603269Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603268Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603267Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603266Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.138{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603265Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.076{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3050-6007-41A2-00000000A301}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603264Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.076{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603263Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.076{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603262Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.076{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603261Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.076{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603260Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.076{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-3050-6007-41A2-00000000A301}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603259Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.076{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3050-6007-41A2-00000000A301}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603258Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:17:36.076{5A2C5089-3050-6007-41A2-00000000A301}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603310Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:02.184{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1500-00000000A301}1500C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603309Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:02.184{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1500-00000000A301}1500C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603308Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:02.184{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1500-00000000A301}1500C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603311Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:25.387{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603312Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:26.090{5A2C5089-ED57-6001-0B00-00000000A301}8602488C:\Windows\system32\lsass.exe{5A2C5089-ED55-6001-0100-00000000A301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000603321Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:32.902{5A2C5089-3088-6007-43A2-00000000A301}39685220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603320Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:32.730{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3088-6007-43A2-00000000A301}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603319Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:32.730{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603318Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:32.730{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603317Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:32.730{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603316Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:32.730{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603315Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:32.730{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-3088-6007-43A2-00000000A301}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603314Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:32.730{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3088-6007-43A2-00000000A301}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603313Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:32.731{5A2C5089-3088-6007-43A2-00000000A301}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603330Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:33.558{5A2C5089-3089-6007-44A2-00000000A301}28284748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603329Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:33.402{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3089-6007-44A2-00000000A301}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603328Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:33.402{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603327Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:33.402{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603326Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:33.402{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603325Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:33.402{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603324Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:33.402{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-3089-6007-44A2-00000000A301}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603323Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:33.402{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3089-6007-44A2-00000000A301}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603322Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:33.402{5A2C5089-3089-6007-44A2-00000000A301}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603348Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:34.902{5A2C5089-308A-6007-46A2-00000000A301}47001748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603347Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:34.746{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-308A-6007-46A2-00000000A301}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603346Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:34.746{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603345Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:34.746{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603344Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:34.746{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603343Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:34.746{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603342Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:34.746{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-308A-6007-46A2-00000000A301}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603341Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:34.746{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-308A-6007-46A2-00000000A301}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603340Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:34.746{5A2C5089-308A-6007-46A2-00000000A301}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603339Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:34.730{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-2CFC-6007-6BA1-00000000A301}4660C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603338Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:34.074{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-308A-6007-45A2-00000000A301}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603337Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:34.074{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603336Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:34.074{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603335Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:34.074{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603334Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:34.074{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603333Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:34.074{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-308A-6007-45A2-00000000A301}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603332Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:34.074{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-308A-6007-45A2-00000000A301}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603331Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:34.074{5A2C5089-308A-6007-45A2-00000000A301}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603356Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:35.417{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-308B-6007-47A2-00000000A301}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603355Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:35.417{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603354Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:35.417{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603353Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:35.417{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603352Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:35.417{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603351Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:35.417{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-308B-6007-47A2-00000000A301}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603350Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:35.417{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-308B-6007-47A2-00000000A301}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603349Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:35.418{5A2C5089-308B-6007-47A2-00000000A301}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603373Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:36.912{5A2C5089-308C-6007-49A2-00000000A301}56685608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603372Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:36.761{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-308C-6007-49A2-00000000A301}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603371Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:36.761{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603370Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:36.761{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603369Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:36.761{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603368Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:36.761{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603367Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:36.761{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-308C-6007-49A2-00000000A301}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603366Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:36.761{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-308C-6007-49A2-00000000A301}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603365Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:36.762{5A2C5089-308C-6007-49A2-00000000A301}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603364Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:36.089{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-308C-6007-48A2-00000000A301}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603363Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:36.089{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603362Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:36.089{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603361Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:36.089{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603360Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:36.089{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603359Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:36.089{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-308C-6007-48A2-00000000A301}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603358Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:36.089{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-308C-6007-48A2-00000000A301}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603357Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:36.090{5A2C5089-308C-6007-48A2-00000000A301}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603375Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:38.120{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1000-00000000A301}1168C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603374Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:18:38.120{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000603381Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:18:41.620{5A2C5089-ED5A-6001-1200-00000000A301}1208C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x8000000000000000603380Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:18:41.620{5A2C5089-ED5A-6001-1200-00000000A301}1208C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x8000000000000000603379Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:18:41.620{5A2C5089-ED5A-6001-1200-00000000A301}1208C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x8000000000000000603378Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:18:41.620{5A2C5089-ED5A-6001-1200-00000000A301}1208C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d6ee97-0xe5c278b4) 13241300x8000000000000000603377Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:18:41.620{5A2C5089-ED5A-6001-1200-00000000A301}1208C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x8000000000000000603376Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:18:41.620{5A2C5089-ED5A-6001-1200-00000000A301}1208C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 13241300x8000000000000000603391Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:18:46.761{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000603390Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:18:46.761{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x148ed074) 13241300x8000000000000000603389Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:18:46.761{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ee8f-0x86e7a71d) 13241300x8000000000000000603388Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:18:46.761{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ee97-0xe8ac0f1d) 13241300x8000000000000000603387Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:18:46.761{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6eea0-0x4a70771d) 13241300x8000000000000000603386Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:18:46.761{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000603385Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:18:46.761{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x148ed074) 13241300x8000000000000000603384Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:18:46.761{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ee8f-0x86e7a71d) 13241300x8000000000000000603383Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:18:46.761{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ee97-0xe8ac0f1d) 13241300x8000000000000000603382Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:18:46.761{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6eea0-0x4a70771d) 10341000x8000000000000000603483Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.884{5A2C5089-30C1-6007-4DA2-00000000A301}63642552C:\Windows\system32\conhost.exe{5A2C5089-30C1-6007-52A2-00000000A301}3968C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603482Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.884{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603481Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.884{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603480Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.884{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603479Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.884{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-30C1-6007-52A2-00000000A301}3968C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603478Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.884{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603477Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.884{5A2C5089-30C1-6007-4CA2-00000000A301}23207072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe{5A2C5089-30C1-6007-52A2-00000000A301}3968C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8b932a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8034133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8033e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8ae5469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c7ff499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8052e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c80364ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c80364ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c803635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c80282e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8034817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c80343b3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8034133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8033e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c8ae5469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c801ac65(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+c801a235(wow64) 154100x8000000000000000603476Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.891{5A2C5089-30C1-6007-52A2-00000000A301}3968C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exe"C:\Windows\system32\PING.EXE" example.comC:\Windows\Tasks\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Tasks\pshell.xml 10341000x8000000000000000603475Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.837{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603474Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.837{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000603473Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.759{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ljvu5tqg.1ge.ps12021-01-19 19:19:29.759 11241100x8000000000000000603472Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:19:29.744{5A2C5089-30C1-6007-50A2-00000000A301}2208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\h04fcx21\h04fcx21.dll2021-01-19 19:19:29.634 10341000x8000000000000000603471Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.728{5A2C5089-30C1-6007-4DA2-00000000A301}63642552C:\Windows\system32\conhost.exe{5A2C5089-30C1-6007-51A2-00000000A301}2284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603470Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.728{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603469Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.728{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603468Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.728{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603467Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.728{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-30C1-6007-51A2-00000000A301}2284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603466Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.728{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603465Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.728{5A2C5089-30C1-6007-50A2-00000000A301}22086840C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{5A2C5089-30C1-6007-51A2-00000000A301}2284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603464Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.733{5A2C5089-30C1-6007-51A2-00000000A301}2284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES784D.tmp" "c:\Users\Administrator\AppData\Local\Temp\h04fcx21\CSC24C21F62DF444E8292D15DAF823F6491.TMP"C:\Windows\Tasks\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{5A2C5089-30C1-6007-50A2-00000000A301}2208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\h04fcx21\h04fcx21.cmdline" 10341000x8000000000000000603463Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.650{5A2C5089-30C1-6007-4DA2-00000000A301}63642552C:\Windows\system32\conhost.exe{5A2C5089-30C1-6007-50A2-00000000A301}2208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603462Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.650{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603461Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.650{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603460Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.650{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603459Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.650{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603458Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.650{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-30C1-6007-50A2-00000000A301}2208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603457Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.650{5A2C5089-30C1-6007-4CA2-00000000A301}23206452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe{5A2C5089-30C1-6007-50A2-00000000A301}2208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\15ac41cabc80ae8e07f1d041fdcb6d8f\Microsoft.Build.Tasks.v4.0.ni.dll+bc8bab7b|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\15ac41cabc80ae8e07f1d041fdcb6d8f\Microsoft.Build.Tasks.v4.0.ni.dll+bc8b9430|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23aa35|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23a32b|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23a200|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239772|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239128|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239010|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+4ec2df|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+4c3940|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+237b09 154100x8000000000000000603456Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.651{5A2C5089-30C1-6007-50A2-00000000A301}2208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\h04fcx21\h04fcx21.cmdline"C:\Windows\Tasks\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Tasks\pshell.xml 11241100x8000000000000000603455Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.634{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\h04fcx21\h04fcx21.cmdline2021-01-19 19:19:29.634 11241100x8000000000000000603454Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:19:29.634{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\h04fcx21\h04fcx21.dll2021-01-19 19:19:29.634 11241100x8000000000000000603453Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:19:29.619{5A2C5089-30C1-6007-4EA2-00000000A301}3160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\ydue3nqy\ydue3nqy.dll2021-01-19 19:19:29.556 10341000x8000000000000000603452Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.619{5A2C5089-30C1-6007-4DA2-00000000A301}63642552C:\Windows\system32\conhost.exe{5A2C5089-30C1-6007-4FA2-00000000A301}5088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603451Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.619{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603450Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.619{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603449Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.619{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603448Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.619{5A2C5089-2CFA-6007-61A1-00000000A301}41644392C:\Windows\system32\csrss.exe{5A2C5089-30C1-6007-4FA2-00000000A301}5088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603447Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.619{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603446Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.619{5A2C5089-30C1-6007-4EA2-00000000A301}31606532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{5A2C5089-30C1-6007-4FA2-00000000A301}5088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603445Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.621{5A2C5089-30C1-6007-4FA2-00000000A301}5088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES77E0.tmp" "c:\Users\Administrator\AppData\Local\Temp\ydue3nqy\CSCA3DD797C5ABE4469942B3F8220AC77DF.TMP"C:\Windows\Tasks\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{5A2C5089-30C1-6007-4EA2-00000000A301}3160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\ydue3nqy\ydue3nqy.cmdline" 10341000x8000000000000000603444Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.556{5A2C5089-30C1-6007-4DA2-00000000A301}63642552C:\Windows\system32\conhost.exe{5A2C5089-30C1-6007-4EA2-00000000A301}3160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603443Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.556{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603442Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.556{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603441Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.556{5A2C5089-2CFA-6007-61A1-00000000A301}41644392C:\Windows\system32\csrss.exe{5A2C5089-30C1-6007-4EA2-00000000A301}3160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603440Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.556{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603439Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.556{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603438Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.556{5A2C5089-30C1-6007-4CA2-00000000A301}23206452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe{5A2C5089-30C1-6007-4EA2-00000000A301}3160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\15ac41cabc80ae8e07f1d041fdcb6d8f\Microsoft.Build.Tasks.v4.0.ni.dll+bc8bab7b|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\15ac41cabc80ae8e07f1d041fdcb6d8f\Microsoft.Build.Tasks.v4.0.ni.dll+bc8b9430|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23aa35|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23a32b|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+23a200|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239772|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239128|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+239010|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+4ec2df|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+4c3940|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\e3e2ff119236a51129335d785a6cb675\Microsoft.Build.ni.dll+237b09 154100x8000000000000000603437Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.563{5A2C5089-30C1-6007-4EA2-00000000A301}3160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\ydue3nqy\ydue3nqy.cmdline"C:\Windows\Tasks\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Tasks\pshell.xml 11241100x8000000000000000603436Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.556{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\ydue3nqy\ydue3nqy.cmdline2021-01-19 19:19:29.556 11241100x8000000000000000603435Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localDLL2021-01-19 19:19:29.556{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Users\Administrator\AppData\Local\Temp\ydue3nqy\ydue3nqy.dll2021-01-19 19:19:29.556 10341000x8000000000000000603434Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.525{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603433Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.462{5A2C5089-2CFD-6007-76A1-00000000A301}22565708C:\Windows\Explorer.EXE{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603432Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.462{5A2C5089-2CFD-6007-76A1-00000000A301}22565708C:\Windows\Explorer.EXE{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603431Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.462{5A2C5089-2CFD-6007-76A1-00000000A301}22565708C:\Windows\Explorer.EXE{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603430Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.462{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-30C1-6007-4DA2-00000000A301}6364C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603429Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.462{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-30C1-6007-4DA2-00000000A301}6364C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603428Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.462{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603427Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.462{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603426Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.462{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603425Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.462{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603424Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.462{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-30C1-6007-4DA2-00000000A301}6364C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603423Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.462{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-30C1-6007-4DA2-00000000A301}6364C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603422Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.462{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-30C1-6007-4DA2-00000000A301}6364C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603421Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.462{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-30C1-6007-4DA2-00000000A301}6364C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603420Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.447{5A2C5089-ED5A-6001-1600-00000000A301}15363212C:\Windows\system32\svchost.exe{5A2C5089-30C1-6007-4DA2-00000000A301}6364C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603419Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.447{5A2C5089-ED5A-6001-1600-00000000A301}15361572C:\Windows\system32\svchost.exe{5A2C5089-30C1-6007-4DA2-00000000A301}6364C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603418Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.447{5A2C5089-30C1-6007-4DA2-00000000A301}63642552C:\Windows\system32\conhost.exe{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603417Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.447{5A2C5089-2CFA-6007-61A1-00000000A301}41646216C:\Windows\system32\csrss.exe{5A2C5089-30C1-6007-4DA2-00000000A301}6364C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603416Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.431{5A2C5089-2CFA-6007-61A1-00000000A301}41646220C:\Windows\system32\csrss.exe{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603415Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.431{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603414Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.431{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603413Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.431{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603412Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.431{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603411Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.431{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603410Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.431{5A2C5089-30C1-6007-4BA2-00000000A301}66884524C:\Windows\system32\wbem\wmiprvse.exe{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4 154100x8000000000000000603409Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.443{5A2C5089-30C1-6007-4CA2-00000000A301}2320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe4.7.2053.0 built by: NET47REL1MSBuild.exeMicrosoft® .NET FrameworkMicrosoft CorporationMSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Tasks\pshell.xmlC:\Windows\system32\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=E5AC74797478CD9649F201931EDE1166,SHA256=C50E0AA6EF6A1B6B775C8DC1D64E351610ABD7DDD08717C06A3A17C9D11A95DC,IMPHASH=00000000000000000000000000000000{5A2C5089-30C1-6007-4BA2-00000000A301}6688C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x8000000000000000603408Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.localT10532021-01-19 19:19:29.431{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Windows\Tasks\pshell.xml2021-01-19 19:19:29.431 10341000x8000000000000000603407Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.400{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-30C1-6007-4BA2-00000000A301}6688C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603406Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.400{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-30C1-6007-4BA2-00000000A301}6688C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603405Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.384{5A2C5089-ED5A-6001-1600-00000000A301}15362468C:\Windows\system32\svchost.exe{5A2C5089-30C1-6007-4BA2-00000000A301}6688C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603404Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.384{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C1-6007-4BA2-00000000A301}6688C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603403Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.369{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-30C1-6007-4BA2-00000000A301}6688C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603402Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.369{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C1-6007-4BA2-00000000A301}6688C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603401Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.353{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603400Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.353{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603399Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.353{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603398Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.337{5A2C5089-ED5A-6001-1600-00000000A301}15362468C:\Windows\system32\svchost.exe{5A2C5089-30C1-6007-4AA2-00000000A301}5440C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603397Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.322{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C1-6007-4AA2-00000000A301}5440C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603396Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.306{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-30C1-6007-4AA2-00000000A301}5440C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603395Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.306{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C1-6007-4AA2-00000000A301}5440C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603394Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.306{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603393Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.306{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603392Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:29.291{5A2C5089-ED57-6001-0B00-00000000A301}8605032C:\Windows\system32\lsass.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000603484Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:32.192{5A2C5089-30C1-6007-52A2-00000000A301}3968example.com0::ffff:93.184.216.34;C:\Windows\System32\PING.EXE 10341000x8000000000000000603497Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:32.962{5A2C5089-2CFD-6007-76A1-00000000A301}22565708C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603496Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:32.962{5A2C5089-2CFD-6007-76A1-00000000A301}22565708C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603495Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:32.962{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603494Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:32.962{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603493Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:32.962{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603492Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:32.603{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-30C4-6007-53A2-00000000A301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603491Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:32.603{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603490Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:32.603{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603489Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:32.587{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603488Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:32.587{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603487Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:32.587{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-30C4-6007-53A2-00000000A301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603486Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:32.587{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-30C4-6007-53A2-00000000A301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603485Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:32.588{5A2C5089-30C4-6007-53A2-00000000A301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603514Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:33.837{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-30C5-6007-55A2-00000000A301}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603513Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:33.837{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603512Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:33.837{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603511Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:33.837{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603510Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:33.837{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603509Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:33.837{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-30C5-6007-55A2-00000000A301}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603508Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:33.837{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-30C5-6007-55A2-00000000A301}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603507Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:33.839{5A2C5089-30C5-6007-55A2-00000000A301}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603506Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:33.368{5A2C5089-30C5-6007-54A2-00000000A301}47045596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603505Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:33.212{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-30C5-6007-54A2-00000000A301}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603504Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:33.212{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603503Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:33.212{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603502Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:33.212{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603501Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:33.212{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603500Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:33.212{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-30C5-6007-54A2-00000000A301}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603499Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:33.212{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-30C5-6007-54A2-00000000A301}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603498Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:33.213{5A2C5089-30C5-6007-54A2-00000000A301}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603524Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:34.572{5A2C5089-30C6-6007-56A2-00000000A301}69081768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603523Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:34.415{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-30C6-6007-56A2-00000000A301}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603522Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:34.415{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603521Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:34.415{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603520Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:34.415{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603519Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:34.415{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603518Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:34.415{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-30C6-6007-56A2-00000000A301}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603517Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:34.415{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-30C6-6007-56A2-00000000A301}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603516Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:34.416{5A2C5089-30C6-6007-56A2-00000000A301}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603515Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:33.993{5A2C5089-30C5-6007-55A2-00000000A301}54565248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603540Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:35.665{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-30C7-6007-58A2-00000000A301}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603539Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:35.665{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603538Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:35.665{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603537Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:35.665{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603536Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:35.665{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603535Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:35.665{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-30C7-6007-58A2-00000000A301}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603534Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:35.665{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-30C7-6007-58A2-00000000A301}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603533Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:35.666{5A2C5089-30C7-6007-58A2-00000000A301}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603532Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:35.040{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-30C7-6007-57A2-00000000A301}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603531Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:35.040{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603530Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:35.040{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603529Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:35.040{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603528Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:35.040{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603527Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:35.040{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-30C7-6007-57A2-00000000A301}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603526Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:35.040{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-30C7-6007-57A2-00000000A301}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603525Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:35.042{5A2C5089-30C7-6007-57A2-00000000A301}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603829Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-30C1-6007-4BA2-00000000A301}6688C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603828Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-30C1-6007-4BA2-00000000A301}6688C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603827Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-30C1-6007-4BA2-00000000A301}6688C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603826Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-30C1-6007-4BA2-00000000A301}6688C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603825Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-30C1-6007-4BA2-00000000A301}6688C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603824Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-30C1-6007-4AA2-00000000A301}5440C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603823Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-30C1-6007-4AA2-00000000A301}5440C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603822Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-30C1-6007-4AA2-00000000A301}5440C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603821Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-30C1-6007-4AA2-00000000A301}5440C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603820Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-30C1-6007-4AA2-00000000A301}5440C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603819Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603818Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603817Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603816Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603815Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603814Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2FA1-6007-16A2-00000000A301}6320C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603813Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2FA1-6007-16A2-00000000A301}6320C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603812Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2FA1-6007-16A2-00000000A301}6320C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603811Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2FA1-6007-16A2-00000000A301}6320C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603810Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2FA1-6007-16A2-00000000A301}6320C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603809Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603808Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603807Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603806Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2D23-6007-9AA1-00000000A301}6616C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603805Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603804Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603803Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603802Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603801Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2D23-6007-99A1-00000000A301}752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603800Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603799Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.618{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603798Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.603{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603797Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.603{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603796Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.603{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603795Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.603{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603794Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.603{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+2a948|C:\Windows\system32\taskmgr.exe+2a9b0|C:\Windows\system32\taskmgr.exe+1a471|C:\Windows\system32\taskmgr.exe+19ea8|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603793Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.603{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603792Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.603{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603791Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.603{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603790Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.603{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603789Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.603{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603788Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.572{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603787Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.572{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603786Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.462{5A2C5089-30C8-6007-59A2-00000000A301}39445772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603785Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.431{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+2a948|C:\Windows\system32\taskmgr.exe+2a9b0|C:\Windows\system32\taskmgr.exe+1a471|C:\Windows\system32\taskmgr.exe+19ea8|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603784Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.431{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603783Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.431{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFE-6007-78A1-00000000A301}3904C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603782Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.431{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFE-6007-78A1-00000000A301}3904C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603781Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.431{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFE-6007-78A1-00000000A301}3904C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603780Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.431{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFE-6007-78A1-00000000A301}3904C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603779Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.431{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603778Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.431{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603777Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.431{5A2C5089-2CFD-6007-76A1-00000000A301}22565480C:\Windows\Explorer.EXE{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\Explorer.EXE+8cb87|C:\Windows\Explorer.EXE+56261|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\Explorer.EXE+51bc9|C:\Windows\Explorer.EXE+8f763|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603776Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.431{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603775Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.431{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603774Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.431{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+2a948|C:\Windows\system32\taskmgr.exe+2a9b0|C:\Windows\system32\taskmgr.exe+1a471|C:\Windows\system32\taskmgr.exe+19ea8|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603773Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.431{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603772Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.431{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFC-6007-6EA1-00000000A301}1044C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603771Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.431{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFC-6007-6EA1-00000000A301}1044C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603770Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.431{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFC-6007-6EA1-00000000A301}1044C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603769Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.431{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFC-6007-6EA1-00000000A301}1044C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603768Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-2CFD-6007-76A1-00000000A301}22565480C:\Windows\Explorer.EXE{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a5a3|C:\Windows\Explorer.EXE+5983c|C:\Windows\Explorer.EXE+56de3|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740ADE2CF)|UNKNOWN(FFFFF3E740A84BA2)|UNKNOWN(FFFFF3E740A7F1A1)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7EE26)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e 10341000x8000000000000000603767Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-2CFD-6007-76A1-00000000A301}22565480C:\Windows\Explorer.EXE{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a5a3|C:\Windows\Explorer.EXE+5983c|C:\Windows\Explorer.EXE+56de3|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740ADE2CF)|UNKNOWN(FFFFF3E740A84BA2)|UNKNOWN(FFFFF3E740A7F1A1)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7EE26)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\Explorer.EXE+51aca 10341000x8000000000000000603766Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-2CFD-6007-76A1-00000000A301}22565480C:\Windows\Explorer.EXE{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a5a3|C:\Windows\Explorer.EXE+5983c|C:\Windows\Explorer.EXE+56de3|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF800C52648D8)|UNKNOWN(FFFFF3E740ADE2CF)|UNKNOWN(FFFFF3E740A84BA2)|UNKNOWN(FFFFF3E740A7F1A1)|UNKNOWN(FFFFF3E740A80B6A)|UNKNOWN(FFFFF3E740A7EE26)|UNKNOWN(FFFFF800C4F7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e 10341000x8000000000000000603765Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFC-6007-6BA1-00000000A301}4660C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603764Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFC-6007-6BA1-00000000A301}4660C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603763Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFC-6007-6BA1-00000000A301}4660C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603762Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFC-6007-6BA1-00000000A301}4660C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603761Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFC-6007-6BA1-00000000A301}4660C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603760Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFB-6007-65A1-00000000A301}2300C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603759Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFB-6007-65A1-00000000A301}2300C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603758Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFB-6007-65A1-00000000A301}2300C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603757Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFB-6007-65A1-00000000A301}2300C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603756Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFA-6007-62A1-00000000A301}5084C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603755Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFA-6007-62A1-00000000A301}5084C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603754Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFA-6007-62A1-00000000A301}5084C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603753Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFA-6007-62A1-00000000A301}5084C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603752Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFA-6007-61A1-00000000A301}4164C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603751Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-2CFA-6007-61A1-00000000A301}4164C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603750Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EE12-6001-E800-00000000A301}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603749Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EE12-6001-E800-00000000A301}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603748Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EE12-6001-E800-00000000A301}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603747Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EE12-6001-E800-00000000A301}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603746Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EE12-6001-E800-00000000A301}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603745Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EE0C-6001-DE00-00000000A301}808C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603744Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EE0C-6001-DE00-00000000A301}808C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603743Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EE0C-6001-DE00-00000000A301}808C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603742Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EE0C-6001-DE00-00000000A301}808C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603741Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EE0C-6001-DE00-00000000A301}808C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603740Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EE04-6001-B400-00000000A301}4296C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603739Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EE04-6001-B400-00000000A301}4296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603738Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EE04-6001-B400-00000000A301}4296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603737Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EE04-6001-B400-00000000A301}4296C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603736Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603735Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603734Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603733Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603732Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603731Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EDE7-6001-9200-00000000A301}2508C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603730Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EDE7-6001-9200-00000000A301}2508C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603729Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EDE7-6001-9200-00000000A301}2508C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603728Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EDE7-6001-9200-00000000A301}2508C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603727Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-EDE7-6001-9200-00000000A301}2508C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603726Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6F-6001-5900-00000000A301}3980C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603725Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6F-6001-5900-00000000A301}3980C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603724Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6F-6001-5900-00000000A301}3980C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603723Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6F-6001-5900-00000000A301}3980C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603722Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6E-6001-5500-00000000A301}3916C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603721Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6E-6001-5500-00000000A301}3916C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603720Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6E-6001-5500-00000000A301}3916C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603719Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6E-6001-5500-00000000A301}3916C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603718Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6E-6001-5500-00000000A301}3916C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603717Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3600-00000000A301}3404C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603716Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3600-00000000A301}3404C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603715Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3600-00000000A301}3404C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603714Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3600-00000000A301}3404C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603713Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3600-00000000A301}3404C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603712Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3400-00000000A301}3184C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603711Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3400-00000000A301}3184C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603710Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3400-00000000A301}3184C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603709Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3400-00000000A301}3184C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603708Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3400-00000000A301}3184C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603707Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3300-00000000A301}2524C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603706Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3300-00000000A301}2524C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603705Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3300-00000000A301}2524C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603704Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3300-00000000A301}2524C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603703Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3300-00000000A301}2524C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603702Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3200-00000000A301}2764C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603701Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3200-00000000A301}2764C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603700Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3200-00000000A301}2764C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603699Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3200-00000000A301}2764C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603698Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3200-00000000A301}2764C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603697Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3100-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603696Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3100-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603695Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3100-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603694Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3100-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603693Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3100-00000000A301}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603692Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3000-00000000A301}2108C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603691Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3000-00000000A301}2108C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603690Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3000-00000000A301}2108C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603689Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3000-00000000A301}2108C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603688Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-3000-00000000A301}2108C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603687Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2F00-00000000A301}2176C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603686Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2F00-00000000A301}2176C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603685Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2F00-00000000A301}2176C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603684Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2F00-00000000A301}2176C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603683Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2F00-00000000A301}2176C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603682Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603681Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.415{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603680Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603679Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603678Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603677Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603676Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603675Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603674Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603673Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2B00-00000000A301}2444C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603672Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2B00-00000000A301}2444C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603671Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2B00-00000000A301}2444C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603670Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2B00-00000000A301}2444C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603669Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2B00-00000000A301}2444C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603668Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2A00-00000000A301}2236C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603667Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2A00-00000000A301}2236C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603666Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2A00-00000000A301}2236C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603665Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2A00-00000000A301}2236C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603664Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2A00-00000000A301}2236C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603663Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2800-00000000A301}2632C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603662Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2800-00000000A301}2632C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603661Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2800-00000000A301}2632C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603660Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2800-00000000A301}2632C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603659Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED6A-6001-2800-00000000A301}2632C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603658Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED63-6001-2600-00000000A301}3028C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603657Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED63-6001-2600-00000000A301}3028C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603656Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED63-6001-2600-00000000A301}3028C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603655Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED63-6001-2600-00000000A301}3028C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603654Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED61-6001-2500-00000000A301}2948C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603653Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED61-6001-2500-00000000A301}2948C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603652Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED61-6001-2500-00000000A301}2948C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603651Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED61-6001-2500-00000000A301}2948C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603650Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED61-6001-2400-00000000A301}2940C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603649Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED61-6001-2400-00000000A301}2940C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603648Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED61-6001-2400-00000000A301}2940C:\Users\Public\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603647Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED61-6001-2400-00000000A301}2940C:\Users\Public\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603646Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED61-6001-2400-00000000A301}2940C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603645Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5B-6001-2100-00000000A301}2336C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603644Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5B-6001-2100-00000000A301}2336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603643Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5B-6001-2100-00000000A301}2336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603642Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5B-6001-2100-00000000A301}2336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603641Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1700-00000000A301}1632C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603640Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1700-00000000A301}1632C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603639Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1700-00000000A301}1632C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603638Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1700-00000000A301}1632C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603637Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603636Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603635Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603634Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603633Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1500-00000000A301}1500C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603632Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1500-00000000A301}1500C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603631Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1500-00000000A301}1500C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603630Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1500-00000000A301}1500C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603629Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1400-00000000A301}1324C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603628Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1400-00000000A301}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603627Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1400-00000000A301}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603626Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1400-00000000A301}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603625Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1200-00000000A301}1208C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603624Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1200-00000000A301}1208C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603623Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1200-00000000A301}1208C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603622Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1200-00000000A301}1208C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603621Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1100-00000000A301}1176C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603620Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1100-00000000A301}1176C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603619Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1100-00000000A301}1176C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603618Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1100-00000000A301}1176C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603617Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.400{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1000-00000000A301}1168C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603616Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1000-00000000A301}1168C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603615Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1000-00000000A301}1168C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603614Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-1000-00000000A301}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603613Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-0F00-00000000A301}1132C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603612Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-0F00-00000000A301}1132C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603611Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-0F00-00000000A301}1132C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603610Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED5A-6001-0F00-00000000A301}1132C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603609Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED59-6001-0D00-00000000A301}580C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603608Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED59-6001-0D00-00000000A301}580C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603607Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED59-6001-0D00-00000000A301}580C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603606Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED59-6001-0D00-00000000A301}580C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603605Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED59-6001-0C00-00000000A301}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603604Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED59-6001-0C00-00000000A301}668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603603Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED59-6001-0C00-00000000A301}668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603602Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED59-6001-0C00-00000000A301}668C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603601Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603600Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603599Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603598Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603597Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED57-6001-0A00-00000000A301}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603596Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED57-6001-0A00-00000000A301}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603595Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED57-6001-0700-00000000A301}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603594Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED57-6001-0700-00000000A301}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603593Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED57-6001-0500-00000000A301}644C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603592Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED57-6001-0500-00000000A301}644C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603591Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED55-6001-0200-00000000A301}452C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603590Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-ED55-6001-0200-00000000A301}452C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603589Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603588Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603587Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603586Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603585Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603584Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603583Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603582Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603581Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.384{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603580Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.368{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603579Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.368{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-0F00-00000000A301}1132C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000603578Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603577Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603576Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603575Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603574Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603573Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603572Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-ED59-6001-0C00-00000000A301}6684624C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603571Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603570Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-2CFD-6007-76A1-00000000A301}22565708C:\Windows\Explorer.EXE{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603569Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603568Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-2CFD-6007-76A1-00000000A301}22565708C:\Windows\Explorer.EXE{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603567Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-2CFD-6007-76A1-00000000A301}22565708C:\Windows\Explorer.EXE{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603566Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603565Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603564Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-2CFD-6007-76A1-00000000A301}22564600C:\Windows\Explorer.EXE{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603563Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603562Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-2CFC-6007-70A1-00000000A301}40885096C:\Windows\system32\taskhostw.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603561Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603560Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603559Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603558Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.353{5A2C5089-2CFD-6007-76A1-00000000A301}22565688C:\Windows\Explorer.EXE{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603557Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.337{5A2C5089-ED5A-6001-1600-00000000A301}15363212C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603556Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.337{5A2C5089-ED5A-6001-1600-00000000A301}15361572C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603555Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.322{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603554Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.322{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603553Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.322{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603552Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.322{5A2C5089-2CFA-6007-61A1-00000000A301}41644392C:\Windows\system32\csrss.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603551Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.322{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603550Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.322{5A2C5089-2CFD-6007-76A1-00000000A301}22567008C:\Windows\Explorer.EXE{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+8fe71|C:\Windows\System32\SHELL32.dll+8ecd6|C:\Windows\System32\SHELL32.dll+cfbb1|C:\Windows\System32\SHELL32.dll+b5dbe|C:\Windows\System32\SHELL32.dll+8db63|C:\Windows\System32\SHELL32.dll+8da2b|C:\Windows\System32\SHELL32.dll+8d347|C:\Windows\System32\SHELL32.dll+6b47e|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000603549Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.303{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\System32\Taskmgr.exe1, 0, 0, 1Task ManagerTask ManagerMicrosoft® Windows® Operating SystemTaskmgr.exe"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\ATTACKRANGE\Administrator{5A2C5089-2CFC-6007-51A1-6D0400000000}0x46da1512HighMD5=F4429ADA273FF82A9D1EC804018A0039,SHA256=1BB6FBFFBDB585DE220DB58BAAB9327E5FF03E53AE88CBCAFF777A7819044615,IMPHASH=65D7A86C4F0360F63A506C4247D3E410{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000603548Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.290{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-30C8-6007-59A2-00000000A301}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603547Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.290{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603546Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.290{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603545Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.290{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603544Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.290{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603543Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.290{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-30C8-6007-59A2-00000000A301}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603542Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.290{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-30C8-6007-59A2-00000000A301}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603541Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:36.292{5A2C5089-30C8-6007-59A2-00000000A301}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603858Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603857Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603856Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFE-6007-78A1-00000000A301}3904C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603855Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFE-6007-78A1-00000000A301}3904C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603854Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603853Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603852Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603851Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603850Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603849Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603848Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603847Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603846Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603845Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603844Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603843Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603842Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603841Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603840Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603839Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603838Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603837Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603836Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603835Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603834Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603833Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603832Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603831Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603830Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:19:37.150{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000603859Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:19:40.306{5A2C5089-ED5A-6001-1000-00000000A301}1168C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ee98-0x08bd2ef0) 10341000x8000000000000000603869Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:32.601{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3100-6007-5BA2-00000000A301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603868Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:32.601{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603867Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:32.601{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603866Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:32.601{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603865Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:32.601{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603864Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:32.601{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-3100-6007-5BA2-00000000A301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603863Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:32.601{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3100-6007-5BA2-00000000A301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603862Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:32.602{5A2C5089-3100-6007-5BA2-00000000A301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603861Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:32.132{5A2C5089-ED5A-6001-1600-00000000A301}15366392C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-3200-00000000A301}2764C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603860Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:32.132{5A2C5089-ED5A-6001-1600-00000000A301}15366392C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-3200-00000000A301}2764C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603891Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.945{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3101-6007-5DA2-00000000A301}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603890Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.945{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603889Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.945{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603888Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.945{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603887Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.945{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603886Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.945{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-3101-6007-5DA2-00000000A301}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603885Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.945{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3101-6007-5DA2-00000000A301}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603884Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.945{5A2C5089-3101-6007-5DA2-00000000A301}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603883Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.429{5A2C5089-3101-6007-5CA2-00000000A301}28326696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603882Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.413{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-3101-6007-5CA2-00000000A301}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603881Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.413{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-3101-6007-5CA2-00000000A301}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603880Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.413{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-3101-6007-5CA2-00000000A301}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603879Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.413{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-3101-6007-5CA2-00000000A301}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603878Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.413{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-3101-6007-5CA2-00000000A301}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603877Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.273{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3101-6007-5CA2-00000000A301}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603876Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.273{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603875Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.273{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603874Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.273{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603873Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.273{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603872Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.273{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-3101-6007-5CA2-00000000A301}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603871Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.273{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3101-6007-5CA2-00000000A301}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603870Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:33.273{5A2C5089-3101-6007-5CA2-00000000A301}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603900Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:34.632{5A2C5089-3102-6007-5EA2-00000000A301}65766652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603899Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:34.476{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3102-6007-5EA2-00000000A301}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603898Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:34.476{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603897Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:34.476{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603896Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:34.476{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603895Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:34.476{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603894Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:34.476{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-3102-6007-5EA2-00000000A301}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603893Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:34.476{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3102-6007-5EA2-00000000A301}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603892Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:34.477{5A2C5089-3102-6007-5EA2-00000000A301}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603917Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:35.976{5A2C5089-3103-6007-60A2-00000000A301}55324376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603916Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:35.820{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3103-6007-60A2-00000000A301}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603915Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:35.820{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603914Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:35.820{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603913Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:35.820{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603912Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:35.820{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603911Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:35.820{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-3103-6007-60A2-00000000A301}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603910Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:35.820{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3103-6007-60A2-00000000A301}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603909Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:35.820{5A2C5089-3103-6007-60A2-00000000A301}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603908Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:35.148{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3103-6007-5FA2-00000000A301}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603907Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:35.148{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603906Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:35.148{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603905Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:35.148{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603904Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:35.148{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603903Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:35.148{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-3103-6007-5FA2-00000000A301}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603902Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:35.148{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3103-6007-5FA2-00000000A301}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603901Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:35.148{5A2C5089-3103-6007-5FA2-00000000A301}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603926Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:36.648{5A2C5089-3104-6007-61A2-00000000A301}66245248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603925Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:36.491{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3104-6007-61A2-00000000A301}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603924Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:36.491{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603923Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:36.491{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603922Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:36.491{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603921Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:36.491{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-3104-6007-61A2-00000000A301}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603920Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:36.491{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603919Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:36.491{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3104-6007-61A2-00000000A301}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603918Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:36.492{5A2C5089-3104-6007-61A2-00000000A301}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603927Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:38.194{5A2C5089-ED57-6001-0B00-00000000A301}8604284C:\Windows\system32\lsass.exe{5A2C5089-ED55-6001-0100-00000000A301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000603928Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:42.710{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-2FA1-6007-16A2-00000000A301}6320C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603929Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:49.616{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-ED59-6001-0C00-00000000A301}668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603930Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:20:53.491{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1200-00000000A301}1208C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000603933Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:21:01.116{5A2C5089-ED6A-6001-3200-00000000A301}2764C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\0C308890-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_0C308890-0000-0000-0000-100000000000.XML 13241300x8000000000000000603932Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:21:01.100{5A2C5089-ED6A-6001-3200-00000000A301}2764C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9916ACFC-C6A5-411F-AB13-8F4D0BF713D8\Config SourceDWORD (0x00000001) 13241300x8000000000000000603931Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:21:01.100{5A2C5089-ED6A-6001-3200-00000000A301}2764C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9916ACFC-C6A5-411F-AB13-8F4D0BF713D8\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9916ACFC-C6A5-411F-AB13-8F4D0BF713D8.XML 10341000x8000000000000000603934Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:07.459{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-2FA1-6007-16A2-00000000A301}6320C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603935Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:24.693{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-2FA1-6007-16A2-00000000A301}6320C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603937Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:28.427{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603936Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:28.427{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603939Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:31.177{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603938Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:31.177{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603947Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:32.599{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-313C-6007-62A2-00000000A301}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603946Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:32.599{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603945Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:32.599{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603944Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:32.599{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603943Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:32.599{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603942Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:32.599{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-313C-6007-62A2-00000000A301}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603941Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:32.599{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-313C-6007-62A2-00000000A301}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603940Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:32.599{5A2C5089-313C-6007-62A2-00000000A301}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603969Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.880{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-313D-6007-64A2-00000000A301}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603968Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.880{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603967Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.880{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603966Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.880{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603965Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.880{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603964Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.880{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-313D-6007-64A2-00000000A301}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603963Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.880{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-313D-6007-64A2-00000000A301}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603962Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.881{5A2C5089-313D-6007-64A2-00000000A301}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603961Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.411{5A2C5089-313D-6007-63A2-00000000A301}68966000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603960Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.255{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-313D-6007-63A2-00000000A301}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603959Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.255{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603958Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.255{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603957Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.255{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603956Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.255{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603955Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.255{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-313D-6007-63A2-00000000A301}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603954Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.255{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-313D-6007-63A2-00000000A301}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603953Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.256{5A2C5089-313D-6007-63A2-00000000A301}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603952Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.255{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-313D-6007-63A2-00000000A301}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603951Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.255{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-313D-6007-63A2-00000000A301}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603950Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.255{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-313D-6007-63A2-00000000A301}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603949Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.255{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-313D-6007-63A2-00000000A301}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603948Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:33.255{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-313D-6007-63A2-00000000A301}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603978Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:34.661{5A2C5089-313E-6007-65A2-00000000A301}66284688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603977Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:34.505{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-313E-6007-65A2-00000000A301}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603976Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:34.505{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603975Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:34.505{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603974Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:34.505{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603973Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:34.505{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603972Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:34.505{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-313E-6007-65A2-00000000A301}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603971Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:34.505{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-313E-6007-65A2-00000000A301}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603970Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:34.506{5A2C5089-313E-6007-65A2-00000000A301}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604003Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.755{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-313F-6007-67A2-00000000A301}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604002Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.755{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604001Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.755{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604000Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.755{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603999Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.755{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603998Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.755{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-313F-6007-67A2-00000000A301}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603997Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.755{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-313F-6007-67A2-00000000A301}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603996Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.756{5A2C5089-313F-6007-67A2-00000000A301}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000603995Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.614{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603994Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.614{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-2CFC-6007-6BA1-00000000A301}4660C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603993Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.614{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603992Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.302{5A2C5089-313F-6007-66A2-00000000A301}44641108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603991Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.286{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-313F-6007-66A2-00000000A301}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603990Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.286{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-313F-6007-66A2-00000000A301}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603989Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.286{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-313F-6007-66A2-00000000A301}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603988Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.286{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-313F-6007-66A2-00000000A301}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603987Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.286{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-313F-6007-66A2-00000000A301}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603986Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.130{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-313F-6007-66A2-00000000A301}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603985Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.130{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603984Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.130{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603983Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.130{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603982Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.130{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603981Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.130{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-313F-6007-66A2-00000000A301}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000603980Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.130{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-313F-6007-66A2-00000000A301}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000603979Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:35.131{5A2C5089-313F-6007-66A2-00000000A301}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604012Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:36.536{5A2C5089-3140-6007-68A2-00000000A301}45886100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604011Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:36.380{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3140-6007-68A2-00000000A301}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604010Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:36.380{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604009Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:36.380{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604008Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:36.380{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604007Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:36.380{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604006Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:36.380{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-3140-6007-68A2-00000000A301}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604005Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:36.380{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3140-6007-68A2-00000000A301}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604004Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:36.381{5A2C5089-3140-6007-68A2-00000000A301}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604043Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604042Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604041Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604040Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604039Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFE-6007-78A1-00000000A301}3904C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604038Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFE-6007-78A1-00000000A301}3904C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604037Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604036Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604035Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604034Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604033Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604032Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604031Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604030Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604029Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604028Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604027Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604026Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604025Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604024Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604023Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604022Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604021Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604020Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604019Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604018Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604017Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604016Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604015Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604014Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604013Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:21:38.630{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604044Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:03.801{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604045Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:29.706{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604054Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:32.769{5A2C5089-3178-6007-69A2-00000000A301}5768424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604053Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:32.612{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3178-6007-69A2-00000000A301}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604052Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:32.612{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604051Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:32.612{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604050Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:32.612{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604049Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:32.612{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604048Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:32.612{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-3178-6007-69A2-00000000A301}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604047Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:32.612{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3178-6007-69A2-00000000A301}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604046Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:32.613{5A2C5089-3178-6007-69A2-00000000A301}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604071Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:33.956{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3179-6007-6BA2-00000000A301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604070Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:33.956{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604069Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:33.956{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604068Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:33.956{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604067Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:33.956{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604066Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:33.956{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-3179-6007-6BA2-00000000A301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604065Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:33.956{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3179-6007-6BA2-00000000A301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604064Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:33.956{5A2C5089-3179-6007-6BA2-00000000A301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604063Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:33.440{5A2C5089-3179-6007-6AA2-00000000A301}68004456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604062Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:33.284{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3179-6007-6AA2-00000000A301}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604061Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:33.284{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604060Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:33.284{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604059Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:33.284{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604058Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:33.284{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604057Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:33.284{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-3179-6007-6AA2-00000000A301}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604056Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:33.284{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3179-6007-6AA2-00000000A301}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604055Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:33.285{5A2C5089-3179-6007-6AA2-00000000A301}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604080Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:34.768{5A2C5089-317A-6007-6CA2-00000000A301}3852756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604079Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:34.628{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-317A-6007-6CA2-00000000A301}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604078Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:34.628{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604077Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:34.628{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604076Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:34.628{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604075Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:34.628{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604074Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:34.628{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-317A-6007-6CA2-00000000A301}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604073Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:34.628{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-317A-6007-6CA2-00000000A301}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604072Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:34.628{5A2C5089-317A-6007-6CA2-00000000A301}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604096Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:35.972{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-317B-6007-6EA2-00000000A301}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604095Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:35.972{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604094Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:35.972{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604093Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:35.972{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604092Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:35.972{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604091Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:35.972{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-317B-6007-6EA2-00000000A301}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604090Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:35.972{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-317B-6007-6EA2-00000000A301}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604089Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:35.972{5A2C5089-317B-6007-6EA2-00000000A301}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604088Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:35.300{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-317B-6007-6DA2-00000000A301}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604087Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:35.300{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604086Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:35.300{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604085Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:35.300{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604084Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:35.300{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604083Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:35.300{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-317B-6007-6DA2-00000000A301}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604082Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:35.300{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-317B-6007-6DA2-00000000A301}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604081Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:35.300{5A2C5089-317B-6007-6DA2-00000000A301}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604105Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:36.800{5A2C5089-317C-6007-6FA2-00000000A301}47442468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604104Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:36.643{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-317C-6007-6FA2-00000000A301}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604103Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:36.643{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604102Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:36.643{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604101Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:36.643{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604100Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:36.643{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604099Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:36.643{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-317C-6007-6FA2-00000000A301}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604098Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:36.643{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-317C-6007-6FA2-00000000A301}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604097Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:22:36.644{5A2C5089-317C-6007-6FA2-00000000A301}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604108Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:02.189{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1500-00000000A301}1500C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604107Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:02.189{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1500-00000000A301}1500C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604106Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:02.189{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1500-00000000A301}1500C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604109Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:08.470{5A2C5089-ED59-6001-0D00-00000000A301}5806156C:\Windows\system32\svchost.exe{5A2C5089-2FA1-6007-16A2-00000000A301}6320C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604110Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:26.204{5A2C5089-ED57-6001-0B00-00000000A301}8604284C:\Windows\system32\lsass.exe{5A2C5089-ED55-6001-0100-00000000A301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000604118Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:32.626{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-31B4-6007-70A2-00000000A301}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604117Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:32.626{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604116Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:32.626{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604115Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:32.626{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604114Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:32.626{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604113Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:32.626{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-31B4-6007-70A2-00000000A301}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604112Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:32.626{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-31B4-6007-70A2-00000000A301}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604111Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:32.626{5A2C5089-31B4-6007-70A2-00000000A301}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604135Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:33.845{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-31B5-6007-72A2-00000000A301}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604134Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:33.845{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604133Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:33.845{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604132Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:33.845{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604131Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:33.845{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604130Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:33.845{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-31B5-6007-72A2-00000000A301}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604129Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:33.845{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-31B5-6007-72A2-00000000A301}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604128Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:33.846{5A2C5089-31B5-6007-72A2-00000000A301}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604127Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:33.376{5A2C5089-31B5-6007-71A2-00000000A301}68125428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604126Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:33.220{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-31B5-6007-71A2-00000000A301}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604125Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:33.220{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604124Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:33.220{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604123Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:33.220{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604122Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:33.220{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604121Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:33.220{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-31B5-6007-71A2-00000000A301}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604120Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:33.220{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-31B5-6007-71A2-00000000A301}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604119Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:33.221{5A2C5089-31B5-6007-71A2-00000000A301}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604150Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:34.626{5A2C5089-31B6-6007-73A2-00000000A301}56804864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604149Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:34.470{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-31B6-6007-73A2-00000000A301}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604148Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:34.470{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604147Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:34.470{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604146Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:34.470{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604145Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:34.470{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604144Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:34.470{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-31B6-6007-73A2-00000000A301}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604143Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:34.470{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-31B6-6007-73A2-00000000A301}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604142Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:34.470{5A2C5089-31B6-6007-73A2-00000000A301}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604141Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:34.001{5A2C5089-31B5-6007-72A2-00000000A301}48884076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604140Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:34.001{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-31B5-6007-72A2-00000000A301}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604139Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:34.001{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-31B5-6007-72A2-00000000A301}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604138Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:34.001{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-31B5-6007-72A2-00000000A301}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604137Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:34.001{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-31B5-6007-72A2-00000000A301}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604136Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:34.001{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-31B5-6007-72A2-00000000A301}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604171Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.673{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-31B7-6007-75A2-00000000A301}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604170Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.673{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604169Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.673{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604168Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.673{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604167Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.673{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604166Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.673{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-31B7-6007-75A2-00000000A301}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604165Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.673{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-31B7-6007-75A2-00000000A301}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604164Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.673{5A2C5089-31B7-6007-75A2-00000000A301}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604163Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.001{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-31B7-6007-74A2-00000000A301}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604162Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.001{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604161Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.001{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604160Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.001{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604159Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.001{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604158Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.001{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-31B7-6007-74A2-00000000A301}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604157Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.001{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-31B7-6007-74A2-00000000A301}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604156Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.001{5A2C5089-31B7-6007-74A2-00000000A301}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604155Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.001{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-31B7-6007-74A2-00000000A301}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604154Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.001{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-31B7-6007-74A2-00000000A301}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604153Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.001{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-31B7-6007-74A2-00000000A301}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604152Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.001{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-31B7-6007-74A2-00000000A301}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604151Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:35.001{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-31B7-6007-74A2-00000000A301}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604180Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:36.501{5A2C5089-31B8-6007-76A2-00000000A301}16566380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604179Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:36.344{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-31B8-6007-76A2-00000000A301}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604178Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:36.344{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604177Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:36.344{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604176Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:36.344{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604175Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:36.344{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604174Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:36.344{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-31B8-6007-76A2-00000000A301}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604173Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:36.344{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-31B8-6007-76A2-00000000A301}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604172Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:36.345{5A2C5089-31B8-6007-76A2-00000000A301}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604181Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:37.141{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2C00-00000000A301}2876C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604206Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604205Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604204Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604203Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604202Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604201Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604200Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604199Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604198Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604197Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604196Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604195Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604194Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604193Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604192Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604191Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604190Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604189Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604188Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604187Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604186Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604185Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604184Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604183Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604182Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:23:39.641{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000604216Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:23:46.766{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000604215Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:23:46.766{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x14936464) 13241300x8000000000000000604214Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:23:46.766{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ee90-0x39ba761d) 13241300x8000000000000000604213Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:23:46.766{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ee98-0x9b7ede1d) 13241300x8000000000000000604212Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:23:46.766{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6eea0-0xfd43461d) 13241300x8000000000000000604211Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:23:46.766{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000604210Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:23:46.766{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x14936464) 13241300x8000000000000000604209Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:23:46.766{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ee90-0x39ba761d) 13241300x8000000000000000604208Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:23:46.766{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ee98-0x9b7ede1d) 13241300x8000000000000000604207Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-SetValue2021-01-19 19:23:46.766{5A2C5089-ED57-6001-0B00-00000000A301}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6eea0-0xfd43461d) 10341000x8000000000000000604224Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:32.624{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-31F0-6007-77A2-00000000A301}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604223Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:32.624{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604222Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:32.624{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604221Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:32.624{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604220Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:32.624{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604219Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:32.624{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-31F0-6007-77A2-00000000A301}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604218Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:32.624{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-31F0-6007-77A2-00000000A301}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604217Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:32.624{5A2C5089-31F0-6007-77A2-00000000A301}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604246Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.858{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-31F1-6007-79A2-00000000A301}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604245Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.858{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-31F1-6007-79A2-00000000A301}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604244Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.858{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-31F1-6007-79A2-00000000A301}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604243Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.858{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-31F1-6007-79A2-00000000A301}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604242Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.858{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-31F1-6007-79A2-00000000A301}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604241Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.842{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-31F1-6007-79A2-00000000A301}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604240Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.842{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604239Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.842{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604238Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.842{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604237Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.842{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604236Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.842{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-31F1-6007-79A2-00000000A301}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604235Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.842{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-31F1-6007-79A2-00000000A301}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604234Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.844{5A2C5089-31F1-6007-79A2-00000000A301}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604233Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.452{5A2C5089-31F1-6007-78A2-00000000A301}58044256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604232Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.296{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-31F1-6007-78A2-00000000A301}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604231Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.296{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604230Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.296{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604229Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.296{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604228Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.296{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604227Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.296{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-31F1-6007-78A2-00000000A301}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604226Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.296{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-31F1-6007-78A2-00000000A301}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604225Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:33.296{5A2C5089-31F1-6007-78A2-00000000A301}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604255Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:34.624{5A2C5089-31F2-6007-7AA2-00000000A301}52887036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604254Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:34.467{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-31F2-6007-7AA2-00000000A301}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604253Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:34.467{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604252Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:34.467{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604251Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:34.467{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604250Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:34.467{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604249Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:34.467{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-31F2-6007-7AA2-00000000A301}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604248Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:34.467{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-31F2-6007-7AA2-00000000A301}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604247Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:34.468{5A2C5089-31F2-6007-7AA2-00000000A301}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604272Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:35.874{5A2C5089-31F3-6007-7CA2-00000000A301}58885584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604271Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:35.717{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-31F3-6007-7CA2-00000000A301}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604270Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:35.717{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604269Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:35.717{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604268Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:35.717{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604267Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:35.717{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604266Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:35.717{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-31F3-6007-7CA2-00000000A301}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604265Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:35.717{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-31F3-6007-7CA2-00000000A301}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604264Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:35.718{5A2C5089-31F3-6007-7CA2-00000000A301}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604263Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:35.092{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-31F3-6007-7BA2-00000000A301}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604262Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:35.092{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604261Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:35.092{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604260Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:35.092{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604259Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:35.092{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604258Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:35.092{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-31F3-6007-7BA2-00000000A301}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604257Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:35.092{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-31F3-6007-7BA2-00000000A301}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604256Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:35.094{5A2C5089-31F3-6007-7BA2-00000000A301}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604281Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:36.499{5A2C5089-31F4-6007-7DA2-00000000A301}65962144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604280Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:36.342{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-31F4-6007-7DA2-00000000A301}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604279Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:36.342{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604278Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:36.342{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604277Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:36.342{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604276Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:36.342{5A2C5089-ED59-6001-0C00-00000000A301}6684156C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604275Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:36.342{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-31F4-6007-7DA2-00000000A301}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604274Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:36.342{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-31F4-6007-7DA2-00000000A301}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604273Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:24:36.344{5A2C5089-31F4-6007-7DA2-00000000A301}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604282Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:06.076{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-2FCF-6007-24A2-00000000A301}6436C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604283Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:30.325{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1600-00000000A301}1536C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604296Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:32.747{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-322C-6007-7EA2-00000000A301}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604295Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:32.747{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-322C-6007-7EA2-00000000A301}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604294Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:32.747{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-322C-6007-7EA2-00000000A301}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604293Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:32.747{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-322C-6007-7EA2-00000000A301}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604292Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:32.747{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-322C-6007-7EA2-00000000A301}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604291Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:32.622{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-322C-6007-7EA2-00000000A301}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604290Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:32.622{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604289Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:32.622{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604288Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:32.622{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604287Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:32.622{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604286Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:32.622{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-322C-6007-7EA2-00000000A301}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604285Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:32.622{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-322C-6007-7EA2-00000000A301}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604284Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:32.622{5A2C5089-322C-6007-7EA2-00000000A301}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604313Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:33.981{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-322D-6007-80A2-00000000A301}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604312Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:33.981{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604311Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:33.981{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604310Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:33.981{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604309Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:33.981{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604308Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:33.981{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-322D-6007-80A2-00000000A301}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604307Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:33.981{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-322D-6007-80A2-00000000A301}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604306Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:33.982{5A2C5089-322D-6007-80A2-00000000A301}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604305Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:33.450{5A2C5089-322D-6007-7FA2-00000000A301}65366772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604304Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:33.294{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-322D-6007-7FA2-00000000A301}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604303Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:33.294{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604302Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:33.294{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604301Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:33.294{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604300Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:33.294{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604299Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:33.294{5A2C5089-ED57-6001-0500-00000000A301}6442212C:\Windows\system32\csrss.exe{5A2C5089-322D-6007-7FA2-00000000A301}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604298Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:33.294{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-322D-6007-7FA2-00000000A301}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604297Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:33.294{5A2C5089-322D-6007-7FA2-00000000A301}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604327Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:34.809{5A2C5089-322E-6007-81A2-00000000A301}16283968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604326Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:34.778{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-322E-6007-81A2-00000000A301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604325Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:34.778{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-322E-6007-81A2-00000000A301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604324Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:34.778{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-322E-6007-81A2-00000000A301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604323Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:34.778{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-322E-6007-81A2-00000000A301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604322Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:34.778{5A2C5089-30C8-6007-5AA2-00000000A301}69846932C:\Windows\system32\taskmgr.exe{5A2C5089-322E-6007-81A2-00000000A301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604321Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:34.653{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-322E-6007-81A2-00000000A301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604320Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:34.653{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604319Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:34.653{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604318Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:34.653{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604317Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:34.653{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604316Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:34.653{5A2C5089-ED57-6001-0500-00000000A301}6441184C:\Windows\system32\csrss.exe{5A2C5089-322E-6007-81A2-00000000A301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604315Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:34.653{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-322E-6007-81A2-00000000A301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604314Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:34.653{5A2C5089-322E-6007-81A2-00000000A301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604336Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:35.481{5A2C5089-322F-6007-82A2-00000000A301}60086860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604335Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:35.325{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-322F-6007-82A2-00000000A301}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604334Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:35.325{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604333Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:35.325{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604332Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:35.325{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604331Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:35.325{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604330Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:35.325{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-322F-6007-82A2-00000000A301}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604329Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:35.325{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-322F-6007-82A2-00000000A301}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604328Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:35.325{5A2C5089-322F-6007-82A2-00000000A301}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604353Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:36.731{5A2C5089-3230-6007-84A2-00000000A301}68646832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604352Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:36.575{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-3230-6007-84A2-00000000A301}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604351Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:36.575{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604350Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:36.575{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604349Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:36.575{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604348Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:36.575{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604347Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:36.575{5A2C5089-ED57-6001-0500-00000000A301}644760C:\Windows\system32\csrss.exe{5A2C5089-3230-6007-84A2-00000000A301}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604346Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:36.575{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-3230-6007-84A2-00000000A301}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604345Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:36.575{5A2C5089-3230-6007-84A2-00000000A301}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604344Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:35.997{5A2C5089-EE04-6001-B400-00000000A301}42963036C:\Windows\system32\conhost.exe{5A2C5089-322F-6007-83A2-00000000A301}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604343Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:35.997{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604342Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:35.997{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604341Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:35.997{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604340Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:35.997{5A2C5089-ED59-6001-0C00-00000000A301}6684568C:\Windows\system32\svchost.exe{5A2C5089-ED6A-6001-2E00-00000000A301}2228C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604339Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:35.997{5A2C5089-ED57-6001-0500-00000000A301}644660C:\Windows\system32\csrss.exe{5A2C5089-322F-6007-83A2-00000000A301}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000604338Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:35.997{5A2C5089-EE04-6001-B000-00000000A301}13482884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5A2C5089-322F-6007-83A2-00000000A301}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000604337Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:35.997{5A2C5089-322F-6007-83A2-00000000A301}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5A2C5089-ED58-6001-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5A2C5089-EE04-6001-B000-00000000A301}1348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000604359Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:37.356{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604358Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:37.356{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604357Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:37.356{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604356Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:37.356{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-1000-00000000A301}1168C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604355Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:37.356{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-30C8-6007-5AA2-00000000A301}6984C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604354Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:37.356{5A2C5089-ED59-6001-0D00-00000000A301}5804416C:\Windows\system32\svchost.exe{5A2C5089-ED5A-6001-0F00-00000000A301}1132C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604384Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604383Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604382Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-8AA1-00000000A301}5868C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604381Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604380Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604379Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604378Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604377Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604376Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604375Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604374Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604373Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604372Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604371Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604370Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604369Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604368Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2CFD-6007-76A1-00000000A301}2256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604367Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604366Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604365Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604364Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604363Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604362Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604361Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604360Microsoft-Windows-Sysmon/Operationalwin-dc-690.attackrange.local-2021-01-19 19:25:46.074{5A2C5089-ED59-6001-0D00-00000000A301}580636C:\Windows\system32\svchost.exe{5A2C5089-2D06-6007-88A1-00000000A301}5756C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791